Cross-Border Data Forum Bannner

Budapest Convention: What is it and How is it Being Updated?

,

The world’s first cybercrime treaty is undergoing an update.  When the Budapest Convention was drafted approximately 20 years ago, the treaty focused on harmonizing laws and increasing cooperation across borders so that a range of cybercrime, such as a denial of service attack or the release of a computer virus, could be prosecuted in the multiple countries affected.  It was written before the exponential growth in Internet usage, the development of cloud computing, and the digitalization of just about every kind of interaction.  These changes have made electronic evidence important to just about every crime—effectively turning almost all crime into cybercrime.  And they have also created enormous challenges for law enforcement given, among other reasons, the global nature of the Internet.  Increasingly, a range of electronic evidence relevant to and critical to the investigation and prosecution of crime – everything from basic subscriber information used to identify particular perpetrators to the content of emails – is stored in a different country from the one where the crime occurred or is being investigated.  This globalization of criminal evidence is creating significant hurdles for law enforcement.[1]

            In response, the Cybercrime Convention Committee has proposed a second protocol to the Budapest Convention designed, among other things, to address these challenges.  The Committee unveiled the provisional text of five provisions over the course of the last two years. These provisions have been the subject of much discussion, including among stakeholders at the November 2019 Octopus Conference.[2]

            The Q and A provides background information about the Budapest Convention as well as some basic information about what this additional protocol includes, why the updates are needed, and what are the primary critiques.

What is the Budapest Convention?

            Officially known as the Council of Europe Convention on Cybercrime, the Budapest Convention – which opened for signatures in 2001 and entered into force in 2004 – was the first international treaty to focus explicitly on cybercrime.[3]  As of the writing of this article, 64 countries have ratified the Budapest Convention – including the United States, which ratified the treaty in 2006. Multiple other countries are in the process of joining the treaty as well.[4]

            The treaty’s objectives are three-fold: 1) harmonizing national laws related to cyber-related crime; 2) supporting the investigation of these crimes; and 3) increasing international cooperation in the fight against cybercrime.[5]  Among other things, the treaty mandates participating countries to adopt legislation outlawing specified cyber-related crimes. It also requires that participating countries adopt certain evidence-gathering rules, such as mechanisms to support things like the expedited preservation of stored data.  And it serves as a limited Mutual Legal Assistance Treaty (MLAT) when the countries involved in a request do not have an existing MLAT.[6]

            As discussed, the treaty was written before the rise of cloud computing, when the vast majority of digital (and other) evidence critical to criminal investigations was held within one’s own territorial borders. It thus premised jurisdiction on data location – operating under the assumption that the relevant national interests and the location of the underlying 0s and 1s were coterminous.  This is no longer the case.  As just one measure of the shift, a 2018 report by the European Commission found that “more than half of all investigations involve a cross-border request to access [electronic] evidence.”[7]  The disconnect between territorial jurisdiction of states and the ways in which data moves and is held across national borders poses significant challenges for law enforcement.  Even when law enforcement knows where to go to request that data, and even in situations in which the relevant countries have friendly relations, the multiple steps required to access the data often lead to lengthy delays.[8] And in other situations, law enforcement may not even know where the data or entity with possession and control of the data is located—and thus no idea of even where to go to make the request.[9]

            In recognition of these challenges, the Cybercrime Convention Committee created a working group to consider the issues in 2012 which transformed into the Cloud Evidence Group and ultimately recommended the adoption of a treaty update in the form of a Second Additional Protocol.[10]  Negotiations began in September 2017, which have resulted in the drafting of five provisional texts designed to address some of the challenges.  If adopted into the final version of the Second Protocol, these five articles would only be binding on those parties to the Budapest Convention that officially consented to this protocol.[11] The following describes the three contested articles in detail.

What are the Key Provisions in the Draft Second Additional Protocol?

            Negotiations on the Second Additional Protocol are continuing at the writing of this article, although work has been delayed by the COVID-19 pandemic.[12] The Cybercrime Convention Committee has extended the negotiations of the protocol to December 2020.[13]

            As of now, the proposed language focuses on five major provisions: Article 1 – Language of Requests; Article 2 – Videoconferencing; Article 3 – Emergency Mutual Legal Assistance; Article 4 – Direct Disclosure of Subscriber Information; and Article 5 – Giving Effect to Foreign Orders for the Expedited Production of Data.[14] The first two are uncontroversial; the latter three would yield greater change and thus have provoked a range of questions and concerns.[15] These last three provisions are the ones we focus on here.

Article 3 – Emergency Mutual Legal Assistance

            Summary of ProposalThis provision allows a requesting country to seek expedited mutual legal assistance when an emergency exists.[16] An emergency is defined as “a situation in which there is a significant and imminent risk to the life or safety of any natural person.”[17]

            Emergency Process – The requesting country sends an emergency request to the receiving country. The emergency request may be sent from the judicial authorities in the requesting country to the judicial authorities in the receiving country; from the 24/7 point of contact (established under the Budapest Convention) in the requesting country to the 24/7 point of contact in the receiving country; or through Interpol. Once the receiving country agrees that the requirements for an emergency request have been met, the requested electronic evidence can be provided to the requesting country as rapidly as possible.[18]

            Requirements for the Emergency Request – For a request under the emergency provision, the requesting country must: 1) provide facts that establish that an emergency exists pursuant to the definition in the protocol; and 2) explain how the assistance sought is “necessary to respond to the emergency.”[19]

            Why IncludedThis provision is designed to deal with the reality that the mutual legal assistance is ordinarily a time-consuming process—and that waiting for the ordinary process to play out in an emergency would result in the inability to access information critical to protecting against imminent risks to life or safety.[20]

            Concerns raised by Civil Society GroupsWhile acknowledging that emergency MLA procedures can be important to prevent tragedies, civil society groups cautioned that emergency MLA procedures should be carefully designed to protect privacy and to ensure that these procedures are “not used as a work-around to the standard MLA process.”[21]

Article 4 – Direct Disclosure of Subscriber Information

            Summary This provision lays out a mechanism for law enforcement in a requesting country to obtain subscriber information directly from a service provider in another country, without going through the mutual legal assistance process.[22]  The subscriber information could include the subscriber’s identity, the subscriber’s payment information, the type of communication service used by the subscriber, the subscriber’s physical address as well as both the subscriber’s static and dynamic IP addresses.[23]  This is the most controversial of the proposals.

            Among the many controversies discussed during the meetings which led to the proposed language was whether so-called “receiving countries” should receive notice if a service provider located in its territory receives a direct disclosure order from foreign law enforcement.  Some countries insisted that this was essential to protecting their sovereign interests, including the privacy rights of their citizens.  Others feared that they would be inundated with such notices, without the resources to adequately review them, and thus the benefits of this provision – to take off some of the pressure from the MLAT system – would be lost.  The provision, as drafted, offers a creative compromise, allowing for countries to choose whether or not they wish to be notified.

            Order from Requesting Country –  Pursuant to this provision, a so-called “competent authority”[24] – meaning a judicial, administrative or other law enforcement authority empowered by the requesting country’s domestic law to authorize disclosure – can directly order a service provider in another country to turn over subscriber information that is within its “possession or control.”[25]  The order must be accompanied by the following “supporting information”: domestic legal grounds for the issuance of the order; the specific provisions of the criminal offense that is the subject of the investigation; and the penalties for the offense, among other required details.[26]  The service provider does not receive a summary of the facts related to the investigation.

            Response by Service Provider in Receiving Country – The protocol envisions that the service provider will respond to the order within 30 days. If the service provider fails to or is unable to provide the evidence within 30 days, the requesting country can seek to enforce the order according to either the newly drafted Article 5 (see below) or by means of other mutual legal assistance.[27]  These are the exclusive means of enforcement.

            Optional Process for Receiving Country to Be Involved – A party may choose to receive simultaneous notice when an order is sent directly to a service provider in the party’s territory. A party may also choose to require the service provider to consult with the receiving country prior to the release of the subscriber information in specified circumstances. If the party opts-in to either (or both) of these processes, the authorities in the receiving country may instruct the service provider not to release the evidence if: (i) the disclosure may negatively affect a criminal proceeding in the receiving country or (ii) the receiving country would have grounds for refusal under the MLAT process. The receiving country must “promptly inform” the requesting country that it has instructed the service provider not to release the evidence and must provide a reason for that decision.[28]

            Why Included This provision is designed to address the interest in more effective and efficient avenues for cross-border access to information important to criminal investigations. Notably, however, it is limited to subscriber information only.  This reflects the fact that subscriber information is often foundational to other investigative steps and is thus one of the most requested types of information in criminal investigations.  In addition, its disclosure is generally considered less intrusive than other categories of data, such as the content of communications.[29]

            Concerns raised by Civil Society Groups – Civil society groups have suggested three key changes: 1) a narrowed definition of subscriber information to avoid excessive disclosure of personal and sensitive data, including location information; 2) required notice to the targeted individual; and 3) required provision by the requesting government of a statement of facts to enable service providers to better identify and protect against abusive requests.[30]

Article 5 – Giving Effect to Orders from Another Party for Expedited Production of Data 

            Summary of Proposed LanguageThis process is designed to function similarly to mutual legal assistance but in a more streamlined manner.[31] Article 5 provides a procedure that allows an order from the requesting country for both subscriber and traffic data to be treated, in essence, as an order in the country where the request is being sent.[32]

            Order from Requesting Country – A competent authority in the requesting country sends an order to the receiving country.[33] Along with the order, the receiving country is provided with similar “supporting information” to that provided to the service provider under Article 4, plus a summary of the facts related to the investigation.[34] Unlike the process in Article 4, the supporting information is not provided to the service provider  – unless the requesting country gives consent for the service provider to access this information.[35]

            Response by Receiving Country – The receiving country must make reasonable efforts to “give effect” [36] to the order, by serving a disclosure order on the specified service provider within 45 days.  A receiving county may also decline to give effect but must include notice and explanation of the failure to comply.[37]

            Response by Service Provider in Receiving Country – This article envisions that, once served with an order, a service provider will provide requested subscriber information within 20 days and traffic data within 45 days.[38]  The protocol does not discuss when and how service providers can themselves challenge the orders—something that is presumably left to domestic law.

            Why Included Recognizing the delay in using traditional mutual legal assistance, the provision is intended to complement the existing procedures by providing a streamlined process to access subscriber information and traffic data. This decision to increase the speed with which the information can be obtained reflects that the legal protections for subscriber information and traffic data are generally less stringent than those for the content of communications.[39]

            Concerns raised by Civil Society Groups – Civil society groups are concerned by the requirement that the supporting information be kept “secret” from the service provider.[40]  These groups note that the service provider cannot effectively evaluate the order without access to the supporting information.[41]

What Does and Should Come Next?

            The most dramatic, far-reaching provision is Article 4 — which envisions a mechanism by which law enforcement in one country can directly demand subscriber information from another country without going through official channels.  But even this is a modest step – dealing with subscriber information only.  To get content data and an intermediate category of so-called “traffic data” – including location and other sensitive data – that is located across borders, countries will still need to work through mutual legal assistance or diplomatic channels.  The protocol, if adopted, would set up expedited mechanisms for these types of data.

            In our view, these provisions are a welcome step forward, but need to also come with transparency, oversight, and further protections against abuse.  States and many outside observers are – rightly so – worried about a law enforcement free-for-all, pursuant to which any government actor anywhere can simply compel production of data anywhere under domestic authority alone.[42]  This raises a fear of governments seeking access to data in order to harass and abuse, rather than investigate legitimate and properly-predicated crime.  These are critical considerations to take into account – although the risks can and should be mitigated by the application of and insistence on baseline procedural and substantive rules; careful review, audits and other oversight of the factual predicate for investigations; and refusal by platforms and governments to cooperate with governments that repeatedly violate core rights and freedoms.

            It is also important to note that this work is happening against the backdrop of a China and Russia-led initiative at the United Nations to create an alternative cybercrime treaty, which is framed as an alternative means of asserting sovereignty over the Internet.[43]  The data sovereigntist approach is framed as a means of asserting control over the internet and the data needed for basic governmental functions, including law enforcement.  The proposed amendments to the Budapest Convention, by contrast, envision a world in which data continues to flow across borders, and seeks to adjust jurisdictional rules to meet these rules – rather than exercise control over the technology to meet pre-established jurisdictional limits. The relative success or failure of the Budapest Convention Second Protocol will help to shape the Internet of the future.

 


[1] Jennifer Daskal, Peter Swire, & Théodore Christakis, “The Globalization of Criminal Evidence,” IAPP (Oct. 16, 2018), https://iapp.org/news/a/the-globalization-of-criminal-evidence/; Jennifer Daskal, Law Enforcement Access to Data Across Borders: The Evolving Rights & Security Issues, 8 Journal of Nat’l Sec Law & Pol’y 873 (2016), https://jnslp.com/2016/09/06/law-enforcement-access-data-across-borders-evolving-security-rights-issues/. “An increasing number of criminal investigations and proceedings nowadays require access to electronic evidence from service providers in other countries. Even for crimes that are entirely domestic in nature – i.e., where the crime, the victim and the perpetrator are all in the same country as the investigating authority – the electronic evidence may be held by a service provider in the territory of another country.” Article 4.2 – Draft Explanatory Report, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019),  https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[2] October 2019: Cooperation Against Cybercrime, Cybercrime, Council of Europe, https://www.coe.int/en/web/cybercrime/octopus-interface-2019.

[3] Budapest Convention and Related Standards, Council of Europe, https://www.coe.int/en/web/cybercrime/the-budapest-convention; see Convention on Cybercrime, Details of Treaty No. 185, Council of Europe, https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185.

[4] “Currently, the Convention has been … ratified by 64 countries, … including several countries outside the European region.” Council of Europe, CCDCOE, https://ccdcoe.org/organisations/council-of-europe/; see Enhanced International Cooperation on Cybercrime and Electronic Evidence: Towards a Protocol to the Budapest Convention, Council of Europe (Sept. 5, 2019), https://rm.coe.int/summary-towards-a-protocol-to-the-budapest-convention/1680972d07; see also Convention on Cybercrime, Details of Treaty No. 185, Council of Europe, https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185; Global Action on Cybercrime Extended (GLACY+): Project Summary, Cybercrime Program Office of the Council of Europe, (Feb. 18, 2020), https://rm.coe.int/3148-glacy-summary-v5/16809c8ad6.

[5] Preamble, Convention on Cybercrime, Council of Europe, https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680081561; see Questions and Answers: Mandate for the Second Additional Protocol to the Budapest Convention, European Commission (Feb. 5, 2019), https://ec.europa.eu/commission/presscorner/detail/en/MEMO_19_865; see also

Explanatory Report to the Convention on Cybercrime, Council of Europe (2001), https://rm.coe.int/16800cce5b. Privacy International describes these three main aspects of the Budapest Convention as: 1) “a list of crimes;” 2) “investigative powers;” and 3) “cross border assistance.” Box 12. A Note on the Budapest Convention, After the Gold Rush: Developing Cyber Security Frameworks and Cyber Crime Legislation to Safeguard Privacy and Security, Privacy International (Aug. 2018), https://privacyinternational.org/sites/default/files/2018-10/Web_After%20the%20Gold%20Rush-Cybersecurity_0.pdf.

[6] Article 27 – Procedures Pertaining to Mutual Assistance Requests in the Absence of Applicable International Agreements, Convention on Cybercrime, Council of Europe, https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680081561. “The Convention further provides signatories with guidance on mutual assistance and acts as a mutual legal assistance treaty … for countries that do not have one with the country requesting assistance.” E4J University Module Series: Cybercrime, Module 3: Legal Frameworks and Human Rights, International and Regional Instruments, United Nations Office on Drugs and Crime (Feb. 2019), www.unodc.org/e4j/en/cybercrime/module-3/key-issues/international-and-regional-instruments.html.

[7] Commission Staff Working Document: Impact Assessment, Accompanying the Document, Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters and Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules of the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, European Commission (July 17, 2018), https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018SC0118&from=EN.

[8] “The MLAT process creates a legal mechanism for non-US countries to obtain email records, but the process today is too slow and cumbersome. Requests appear to average approximately 10 months to fulfill, with some requests taking considerably longer.” Richard Clarke, Michael Morell, Geoffrey Stone, Cass Sunstein & Peter Swire, Liberty and Security in a Changing World: Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies, Princeton University Press (2013), https://obamawhitehouse.archives.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf.

[9] “It is effectively impossible for users of services like Facebook or Google’s Gmail to know where their data is stored.” Dillon Reisman, “Where is Your Data, Really?: The Technical Case Against Data Localization,” Lawfare (May 22, 2017), https://www.lawfareblog.com/where-your-data-really-technical-case-against-data-localization.

[10] Enhanced International Cooperation on Cybercrime and Electronic Evidence: Towards a Protocol to the Budapest Convention, Council of Europe (Sept. 5, 2019), https://rm.coe.int/summary-towards-a-protocol-to-the-budapest-convention/1680972d07.

[11] See Article 44 – Amendments, Convention on Cybercrime, Council of Europe, https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680081561; see also Articles 9 – 16, Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems, Council of Europe (2003), https://rm.coe.int/168008160f.

[12] Enhanced International Cooperation on Cybercrime and Electronic Evidence: Towards a Protocol to the Budapest Convention, Council of Europe (Sept. 5, 2019), https://rm.coe.int/summary-towards-a-protocol-to-the-budapest-convention/1680972d07; see “Workplan and Working Methods,” Cybercrime Convention Committee (T-CY): Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Council of Europe (Nov. 29. 2017) (“drawing from the Final Report and Recommendations of the TC-Y Cloud Evidence Group and, in particular Section 4.5 with possible elements of a Protocol”), https://rm.coe.int/t-cy-2017-20-pdg-workplan/168076cfda; see also Criminal Justice Access to Electronic Evidence in the Cloud: Recommendations for Consideration by the TC-Y, Cybercrime Convention Committee (T-CY), Council of Europe (Sept. 16, 2016), https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016806a495e.

[13] “The Terms of reference for Protocol negotiations have been extended to December 2020 by the T-CY.” Protocol Negotiations, Cybercrime, Council of Europe, https://www.coe.int/en/web/cybercrime/t-cy-drafting-group; see T-CY 21st Plenary, (Draft) Agenda, July 8, 2019, Cybercrime, Council of Europe, https://www.coe.int/en/web/cybercrime/21st-plenary-of-t-cy.

[14] In November 2019, the TC-Y Committee publicly released proposed language for the Second Protocol. Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64; see Opinion on the Provisional Text and Explanatory Report of the Draft Second Additional Protocol to the Budapest Convention on Cybercrime (ETS 185) on Direct Disclosure of Subscriber Information and Giving Effect to Orders from Another Party for Expedited Production of Data, Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data: Convention 108, Council of Europe (Nov. 20, 2019), https://rm.coe.int/t-pd-2019-8fin-opinion-second-additionnal-protocol/168098e42a.

[15] The civil society groups do not necessarily agree that all of the articles in the proposed protocol should be adopted. See “Joint Civil Society Response to the Provisional Draft Text of the Second Additional Protocol to the Budapest Convention on Cybercrime,” Electronic Frontier Foundation (EFF), European Digital Rights (EDRi), IT-Pol Denmark, and Electronic Privacy Information Center (EPIC) (Nov. 7, 2019), https://www.eff.org/document/eff-comments-additions-budapest-protocol-cybercrime; “Joint Civil Society Response to Discussion Guide on a 2nd Additional Protocol to the Budapest Convention on Cybercrime,” Electronic Frontier Foundation (EFF), European Digital Rights (EDRi), Association for Civil Rights (ADC), Derechos Digitales América Latina, Elektronisk Forpost Norge (EFN), IPANDETEC, Karisma Foundation, OpenMedia, Panoptykon Foundation, R3D: Red en Defensa de los Derechos Digitales, Samuelson-Glushko Canadian Internet and Public Interest Clinic (CIPPIC), SonTusDatos, and TEDIC (June 28, 2018), https://www.eff.org/document/joint-civil-society-response-discussion-guide-2nd-additional-protocol-budapest-convention.

[16] Article 3.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[17] Article 3.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[18] “Each Party may seek mutual assistance on a rapidly expedited basis where it is of the view that an emergency exists. … Once satisfied that an emergency exists and the other requirements for mutual assistance are satisfied, the requested Party shall respond to the request on the most rapidly expedited basis possible.” Article 3.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64; see Workplan and Working Methods, Cybercrime Convention Committee (T-CY): Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Council of Europe (Nov. 29. 2017) (“drawing from the Final Report and Recommendations of the TC-Y Cloud Evidence Group and, in particular Section 4.5 with possible elements of a Protocol”), https://rm.coe.int/t-cy-2017-20-pdg-workplan/168076cfda; see also “Parties are encouraged to establish emergency procedures for requests related to risks of life and similar exigent circumstances. The T-CY should document practices by Parties and providers.” Criminal Justice Access to Electronic Evidence in the Cloud: Recommendations for Consideration by the TC-Y, Cybercrime Convention Committee (T-CY), Council of Europe (Sept. 16, 2016), https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016806a495e.

[19] Article 3.2 – Draft Explanatory Report, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[20] Article 3.2 – Draft Explanatory Report, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[21] The four-pronged recommendations from civil society include: 1) adopting a narrow definition of an ‘emergency situation’ to ensure “reasonable grounds” exist to believe there is “an immediate risk of danger to human life or serious bodily harm to an identifiable person or group;” 2) requiring that gaining access to the information stored in another country is “necessary to prevent that serious harm;” 3) establishing that there is not sufficient time to prevent the harm if the MLA process is used; and 4) demonstrating that there are grounds to believe that the requesting party would be able to obtain the requested information through the MLA process. “Joint Civil Society Response to Discussion Guide on a 2nd Additional Protocol to the Budapest Convention on Cybercrime,” Electronic Frontier Foundation (EFF), European Digital Rights (EDRi), Association for Civil Rights (ADC), Derechos Digitales América Latina, Elektronisk Forpost Norge (EFN), IPANDETEC, Karisma Foundation, OpenMedia, Panoptykon Foundation, R3D: Red en Defensa de los Derechos Digitales, Samuelson-Glushko Canadian Internet and Public Interest Clinic (CIPPIC), SonTusDatos, and TEDIC (June 28, 2018), https://www.eff.org/document/joint-civil-society-response-discussion-guide-2nd-additional-protocol-budapest-convention.

[22] Article 4.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[23] The draft explanatory report explains: “Information needed for the purpose of identifying a subscriber of a service may include certain Internet Protocol (IP) address information – for example, the IP address used at the time when an account was created, the most recent log-on IP address or the log-on IP addresses used at a specific time.” Article 4.2.4 – Draft Explanatory Report, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64; see Conditions for Obtaining Subscriber Information in Relation to Dynamic Versus Static IP Addresses: Overview of Relevant Court Decisions and Developments, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe, https://rm.coe.int/t-cy-2018-26-ip-addresses-v6/16808ea472.

[24] “Paragraph 138 of the Explanatory Report to the Budapest Convention provides that the term ‘competent authorities’ refers to a judicial, administrative or other law enforcement authority that is empowered by domestic law to order, authorise or undertake the procedural measure. The same approach is foreseen for purposes of the direct cooperation procedure in this Article. Accordingly, the national legal system of a Party will govern which authority is considered as a competent authority to issue an order.” Article 4.2 – Draft Explanatory Report, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64. This proposed article provides an option for a party to the treaty to require that the order be issued by or under the supervision of a judge, a prosecutor, or another independent body. Article 4.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[25] Article 4.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64; see Justin Hemmings, Sreenidhi Srinivasan, & Peter Swire, Defining the Scope of “Possession, Custody, or Control” for Privacy Issues and the Cloud Act, Journal of National Security Law & Policy (Jan. 23, 2020), https://jnslp.com/2020/01/23/defining-the-scope-of-possession-custody-or-control-for-privacy-issues-and-the-cloud-act/.

[26] Article 4.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[27] Article 4.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64; Article 4.2 – Draft Explanatory Report, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[28] Article 4.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[29] Article 4.2 – Draft Explanatory Report, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[30] “Joint Civil Society Response to the Provisional Draft Text of the Second Additional Protocol to the Budapest Convention on Cybercrime,” Electronic Frontier Foundation (EFF), European Digital Rights (EDRi), IT-Pol Denmark, and Electronic Privacy Information Center (EPIC) (Nov. 7, 2019), https://www.eff.org/document/eff-comments-additions-budapest-protocol-cybercrime; see “Policy Brief: The Impact on the Procedural Rights of Defendants of Cross-Border Access to Electronic Data Through Judicial Cooperation in Criminal Matters,” Fair Trials (Oct. 2018), https://fairtrials.org/sites/default/files/JUD-IT-Fair-Trials-Policy-Brief-October-2018.pdf.

[31] Article 5.2 – Draft Explanatory Report, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[32] Article 5.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[33] The “order” referred to in this article is meant to be any legal process that can compel a service provider to produce subscriber information or traffic data – including a production order or a subpoena. Article 5.2 – Draft Explanatory Report, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[34] Article 5.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[35] The proposed language includes: “The supporting information, provided for the purpose of assisting the requested Party give effect to the order and which shall not be disclosed to the service provider without the consent of the requesting Party, shall specify:

i. the domestic legal grounds that empower the authority to issue the order;

ii. the legal provisions and applicable penalties for the offence(s) being investigated or prosecuted;

iii. why the requesting Party believes that the service provider is in possession or control of the data;

iv. a summary of the facts related to the investigation or proceeding;

v. the relevance of the information or data to the investigation or proceeding; vi. contact information of an authority or authorities to provide further information;

vii. whether preservation of the information or data has already been sought, including date of preservation and any applicable reference number; and

viii. whether the data has already been sought by other means, and in what manner.”

Article 5.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64; see  “Workplan and Working Methods,” Cybercrime Convention Committee (T-CY): Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Council of Europe (Nov. 29. 2017) (“drawing from the Final Report and Recommendations of the TC-Y Cloud Evidence Group and, in particular Section 4.5 with possible elements of a Protocol”), https://rm.coe.int/t-cy-2017-20-pdg-workplan/168076cfda. “When preparing a draft Protocol to the Budapest Convention, the feasibility of incorporating elements of the EIO into a Protocol as an international production order could be established.”  Criminal Justice Access to Electronic Evidence in the Cloud: Recommendations for Consideration by the TC-Y, Cybercrime Convention Committee (T-CY), Council of Europe (Sept. 16, 2016), https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016806a495e.

[36] “[A] requested Party may give effect to a requesting Party’s order by accepting it as equivalent to domestic orders, by endorsing it to give it the same effect as a domestic order, or by issuing its own production order.” Article 5.2 – Draft Explanatory Report, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[37] Article 5.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[38] Article 5.1 – Draft Text, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[39] Article 5.2 – Draft Explanatory Report, Provisional Text of Provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (Oct. 1, 2019), https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.

[40] “Joint Civil Society Response to the Provisional Draft Text of the Second Additional Protocol to the Budapest Convention on Cybercrime,” Electronic Frontier Foundation (EFF), European Digital Rights (EDRi), IT-Pol Denmark, and Electronic Privacy Information Center (EPIC) (Nov. 7, 2019), https://www.eff.org/document/eff-comments-additions-budapest-protocol-cybercrime.

[41] “Joint Civil Society Response to Discussion Guide on a 2nd Additional Protocol to the Budapest Convention on Cybercrime,” Electronic Frontier Foundation (EFF), European Digital Rights (EDRi), Association for Civil Rights (ADC), Derechos Digitales América Latina, Elektronisk Forpost Norge (EFN), IPANDETEC, Karisma Foundation, OpenMedia, Panoptykon Foundation, R3D: Red en Defensa de los Derechos Digitales, Samuelson-Glushko Canadian Internet and Public Interest Clinic (CIPPIC), SonTusDatos, and TEDIC (June 28, 2018), https://www.eff.org/document/joint-civil-society-response-discussion-guide-2nd-additional-protocol-budapest-convention.

[42] This concern of a ‘race to the bottom’ – without proper protections being put in place – was also raised during the original drafting of the Budapest Convention. See DeBrae Kennedy-Mayo, In Search of a Balance Between Police Power and Privacy in the Cybercrime Treaty, Richmond Journal of Law and Technology (2002), https://scholarship.richmond.edu/jolt/vol9/iss1/5/; see also “Global Internet Liberty Campaign Member Letter on Council of Europe Convention on Cyber-Crime,” Global Internet Liberty Campaign (Oct. 18, 2000), http://gilc.org/privacy/coe-letter-1000.html.

[43] “[The Budapest Convention is] the only global treaty that exists with a common vision for trying to facilitate international cooperation on cybercrime that also aims to protect the rule of law and an open internet.” Allison Peters, “Russia and China are Trying to Set the U.N.’s Rules on Cybercrime,” Argument, Foreign Policy (Sept. 16, 2019), https://foreignpolicy.com/2019/09/16/russia-and-china-are-trying-to-set-the-u-n-s-rules-on-cybercrime/; see Joyce Hakmeh and Allison Peters, “A New UN Cybercrime Treaty? The Way Forward for Supporters of an Open, Free, and Secure Internet,” Council of Foreign Relations (Jan. 13, 2020), https://www.cfr.org/blog/new-un-cybercrime-treaty-way-forward-supporters-open-free-and-secure-internet.

Authors