Update: On November 17, 2021, the Committee of Ministers of the Council of Europe adopted the Second Additional Protocol to the Budapest Convention. The Protocol is expected to be open to parties of the Convention for signature in May 2022.[59]
*****
This November, the Council of Europe (CoE) hopes to finalize the adoption of the Second Additional Protocol to the Budapest Convention, in time for the 20th anniversary of the opening for signatures of the Convention in Budapest, Hungary.[1] The Convention when created focused especially on addressing one category of crime, cybercrime, which often involved attacks from a foreign country. By contrast, the past two decades have seen the “globalization of criminal evidence.”[2] Due to cloud computing and other developments, evidence relevant to the investigation of many sorts of crimes may be stored in a country other than the site of the crime.[3] The new protocol has sought to address issues concerning investigation of these additional categories of crime.
In May of this year, after nearly 4 years and more than 90 meetings,[4] the Protocol Drafting Plenary of the Cybercrime Convention Committee (T-CY) concluded its work by releasing the latest version of the protocol (“2021 Version”).[5] This article updates the Cross-Border Data Forum discussion of the first publicly released version of the protocol in 2019 (“2019 Draft”).[6]
Although the 2021 Version seeks to address both criminal justice and data protection goals, it has received criticism on privacy grounds. According to the T-CY, the 2021 Version “achieves an outcome … that reconciles measures for an effective criminal justice response with strong rule of law and data protection safeguards.”[7] Numerous civil society groups – including the Electronic Freedom Foundation (EFF)[8] and Human Rights Watch[9] – cautioned that the protocol has the possibility to weaken or bypass due process rights and privacy rights. The European Data Protection Board (EDPB) stressed that it is key to determine whether the new provisions related to the protection of personal data would meet the requirements of EU law.[10] The EDPB expressed its belief that the data protection safeguards, for government requests for data, should comply with key principles such as “lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality” – noting that all of these principles are found in the CoE Convention 108+.[11]
Since May, the relevant CoE bodies have been reviewing the 2021 Version with the expectation of the Protocol being formally adopted in November. On September 14, the Committee on Legal Affairs and Human Rights for the Parliamentary Assembly for the Council of Europe (PACE) held a hearing where T-CY representatives as well as an EFF representative spoke. Katitza Rodriguez, EFF’s Policy Director for Global Privacy, raised concerns that the Protocol as drafted failed to impose “baseline safeguards in cross-border evidence gathering” and urged the Committee to make accession to the Protocol conditional upon parties signing Convention 108+.[12] On September 28, PACE’s Committee on Legal Affairs and Human Rights issued its report, including a draft opinion.[13] On September 30, PACE adopted a provisional opinion – incorporating the precise language of the draft opinion of its Committee on Legal Affairs and Human Rights.[14] In the opinion, PACE recommended numerous amendments – several of which focused on privacy concerns.[15] The vote by the Committee of Ministers on whether to integrate any recommendations from PACE into the final text is expected in time for the Second Additional Protocol to be formally adopted in November.[16]
This article summarizes the 2021 Version of the protocol, which has 15 Articles compared to only 5 in the 2019 Draft: 1) significant provisions retained from the 2019 Draft; 2) new provisions added to categories in the 2019 Draft – direct disclosure of domain name registration information, and expedited disclosure of stored computer data in an emergency; and 3) two much-anticipated provisions related to data protection under the protocol.
1) Provisions Retained from the 2019 Draft
The 2021 Version retains all the articles from the 2019 Draft – including direct disclosure of subscriber information, expedited production of subscriber information and traffic data, and emergency mutual assistance.
- Article 7 – Direct Disclosure of Subscriber Information (Article 4 in 2019 Draft): In the 2019 draft, this provision for direct disclosure of subscriber information received significant criticism from civil society groups, but it remained essentially the same in the 2021 Version. Under the provision, law enforcement in a requesting country can directly obtain subscriber information from a service provider in another country. [17] This approach does not require the requesting party to utilize the mutual legal assistance process.[18]
- Article 8 – Expedited Production of Subscriber Information and Traffic Data (Article 5 in 2019 Draft): This provision is designed to function in a manner similar to mutual legal assistance but in a more streamlined way. For both subscriber data and traffic data, Article 8 allows an order from the requesting country to be treated, in essence, as an order in the country where the request is being sent.
- Article 10 – Emergency Mutual Assistance (Article 3 in 2019 Draft): This provision is intended to provide a rapidly expedited procedure for mutual assistance requests made in emergency situations.[19]
2) New Provisions Added to Categories in 2019 Draft
Two of the new provisions in the 2021 Version relate to the categories of direct disclosure and expedited disclosure in the 2019 Draft: Article 6 – Direct Disclosure of Domain Name Registration Information; and Article 9 – Expedited Disclosure of Stored Computer Data in an Emergency. Consistent with the 2019 draft, neither of these types of requests would require the requesting party to utilize the mutual legal assistance process. The application of these two new provisions is complicated as neither mandates production of the data in every instance.[20]
Article 6 – Direct Disclosure of Domain Name Registration Information
Summary of New Provision – This new provision addresses the main restrictions resulting from the 2018 EU determination concerning access by law enforcement to data held by WHOIS – a database maintained by ICANN that records the registered owners of domain names.[21] The new provision lays out a mechanism for law enforcement in a requesting country to obtain domain name registration information directly from an entity in another country – without going through the mutual legal assistance process. In response to a valid request, the entity providing “domain name registration services” is expected to provide the relevant “information in the entity’s possession or control.”[22] The term “domain name registration information” is intended to provide information for “identifying and contacting the registrant of a domain name.”[23]
Entities covered by article – According to the Explanatory Report, these requests could be made to “organisations that sell domain names to the public” (“registrars”) as well as to “regional or national registry operators which keep authoritative databases of all domain names registered for a top-level domain” (“registries”).[24]
Optional for Parties to Require Entities to Respond to These Requests – This provision requires parties to adopt measures that would permit covered entities to disclose information in response to a request for domain name information.[25] Parties are not required to adopt legislation obligating the entities to respond to these requests.[26]
Concerns Raised by Commenters – ICANN raised concerns about the interactions between this article and Article 7 – Direct Disclosure of Subscriber Information. ICANN noted that the Explanatory Report stated that certain information that could be deemed “domain name registration information” might be deemed by some parties as a subset of “subscriber information” – meaning that the voluntary nature of Article 6 for registrars and registries could potentially become mandatory for service providers under Article 7.[27] The New Zealand Privacy Commission said the requests discussed in Article 6 should “should meet the test of proportionality.”[28] EurolSPA explained that it was unclear whether the term “possession or control” in Article 6 included data held by a subsidiary of the service provider in a foreign country; such subsidiaries may be required to produce under U.S. law under the U.S. doctrine of “possession, custody and control.”[29]
Article 9 – Expedited Disclosure of Stored Computer Data in an Emergency
Summary of New Provision – This provision permits each party to utilize their 24/7 points of contact (established under the Budapest Convention) to both send and receive immediate requests to “a point of contact in another Party seeking immediate assistance in obtaining from a service provider in the territory of that Party the expedited disclosure of specified, stored computer data” in an emergency situation – without the need to make a request for mutual legal assistance. “Specified, stored computer data” is meant to include stored subscriber information, stored traffic data, and stored content.[30]
Definition of Emergency – As in Article 10, Emergency Mutual Assistance, an emergency is defined as “a situation in which there is a significant and imminent risk to the life or safety of any natural person.”[31] Examples of emergencies under the Protocol include: “hostage situations in which there is a credible risk of imminent loss of life, serious injury or other comparable harm to the victim; ongoing sexual abuse of a child; immediate post terrorist attack scenarios in which authorities seek to determine with whom the attackers communicated in order to determine if further attacks are imminent; and threats to the security of critical infrastructure in which there is a significant and imminent risk to the life or safety of a natural person.”[32]
Optional Nature of This Provision for Subscriber Information – A party may declare that it will not execute requests for expedited disclosure only of subscriber information either at the time of signing of the protocol or at the time of ratification.[33]
Interaction Between Article 9 and Article 10 – With the addition of Article 9, the protocol provides two avenues to address emergency requests. Under Article 9, the party does not need to utilize an MLA request to make an emergency request for stored computer data. Instead, the party can make a request for expedited disclosure of stored computer data in an emergency via its 24/7 network. It is important to note that parties have the option to decline to respond to certain types of requests under Article 9. Article 10 allows for emergency requests for mutual assistance on a rapidly expedited basis. Under Article 10, the party can seek cooperation with the emergency MLA request beyond stored data held by providers. Notably, evidence obtained via the MLA method may be easier to authenticate for criminal prosecutions.[34]
Concerns Raised by Commenters – Kaspersky noted that Article 9 fails to “provide clarity on legal consequences if the data disclosed is misused further (or, particularly, is not deleted after serving the initial purpose) by the requested Party.”[35] EurolSPA raised concern over the term “possession or control” as it did with Article 6.[36]
3) Newly Released Provisions Related to Protection of Personal Data
New to the 2021 Version are two much-anticipated provisions related to data protection and privacy: Article 13 – Conditions and Safeguards and Article 14 – Protection of Personal Data. Importantly, the provisions related to data protection state that in most instances parties are not permitted to require additional safeguards, beyond those detailed in the articles, of the requesting party for data transferred pursuant to the protocol.[37]
Article 13 – Conditions and Safeguards
Summary of New Provision – This provision requires parties to ensure that their domestic law provides for adequate protection of human rights and liberties. When discussing the fact that the powers and procedures required by this protocol are subject to “conditions and safeguards,” the provision references Article 15 of the Budapest Convention – Conditions and Safeguards. That treaty provision discusses obligations that parties have undertaken with regard to international treaties, such as the 1966 UN International Covenant on Civil and Political Rights.[38]
Concerns Raised by Commenters – The Canadian Privacy Commission stated that “necessity and proportionality (as well as non-discrimination) must be built into the internal processes for making data requests” – notably “where risks are heightened in the context of international investigations by police.”[39] Access Now viewed this provision as protecting fundamental rights and raised concerns that a number of parties to the Budapest Convention, including the U.S., lack a comprehensive data protection framework.[40]
Article 14 – Protection of Personal Data
Summary of New Provision – This provision details the protections required for the protections of personal data at issue in requests made pursuant to the Protocol. Most of the public comments approved the inclusion of these substantial protections but expressed concerns that two exceptions may make the inclusion of these protections, in essence, moot.
Required Protections for Personal Data – According to the provision, each party is required to provide protections for the processing of data that it receives from requests.[41] The list of protections include: limitations of the use of the data to purposes described in the Protocol; safeguards for sensitive data; data retention requirements; restrictions on automated decisions; requirements for data security measures; limitations on onwards transfers; and requirements to have in place judicial and non-judicial remedies to provide redress for violations of this provision. The provision provides two noteworthy exceptions to the requirement for these protections.
Exception #1 – The protections in Article 14 are not required when both the requesting party and the receiving party are “mutually bound by an international agreement that establishes a comprehensive framework between those Parties for the protection of personal data” which applies to law enforcement requests.[42] The Explanatory Report provides two examples of such agreements: 1) Convention 108+; and 2) EU-U.S. Umbrella Agreement.[43] In addition, the Executive Agreements under the U.S. CLOUD Act would likely qualify as “agreements” under this exception.[44]
Exception #2 – In lieu of the protections set forth in Article 14, a requesting party and a receiving party – that are not bound by an international agreement under Exception #1 – can mutually agree to transfer personal data on the basis of an informal arrangement. There appears to be no requirement that these arrangements be either publicly available or binding on the parties.[45]
Two Instances where Data Transfers Deemed to Meet Each Party’s Requirements for International Transfers – The transfers are deemed to meet each party’s requirements for international transfer and “no further authorization for transfer shall be required under that legal framework” in two circumstances: when the required protections are satisfied or when Exception #1 is utilized.[46] It is not surprising that when transfers occur in accordance with the required laundry list of protections, the transfers are deemed to meet each parties’ requirements for international transfer. The more controversial instance where these transfers are deemed compliant is when they occur with respect to Exception #1.[47]
Parties’ Ability to Prevent Personal Data Transfers to Another Party – This provision of the Protocol is not permissive for entities or voluntary for parties. A party’s ability to suspend or refuse transfers of personal data under this provision is limited.[48]
Concerns Raised by Commenters – Many of the concerns raised by civil society groups about the protocol revolve around this provision. EFF stated it is their belief that parts of this provision may undermine modern concepts of data protection.[49] CS Coalition, EFF, and EurolSPA questioned whether the requirements in Article 14 would be in compliance with EU law.[50] To strengthen this provision, Access Now, ADC, CS Coalition, and EFF requested that the protocol either reference the key provisions of Convention 108+ or require parties to accede to that convention.[51]
Change in International Landscape Since Release of 2019 Draft
Since the release of the 2019 Draft of the protocol, the international landscape for addressing cybercrime issues has become more complex. In December 2019, the United Nations (U.N.) passed a resolution to begin the process of drafting a global cybercrime treaty.[52] Initially, this U.N. process was championed by countries that had not signed the Budapest Convention – including Russia, China, and North Korea.[53] Since the resolution’s passage in late 2019, countries that initially opposed this approach to a U.N. cybercrime treaty and that are signatories to the Budapest Convention – including the U.S., Australia, and Japan – now serve as vice-chairs on the committee that will begin drafting the U.N. treaty in 2022.[54] As these U.N. discussions are set to begin, the Council of the European Union notes its support for the complimentary efforts of the U.N. efforts and the Budapest Convention.[55]
Conclusion and Next Steps
After extensive negotiation, the 2021 Version of the Second Additional Protocol adds multiple provisions to the 2019 Draft, with the stated goal both to improve criminal investigations and protect the rule of law and personal data. In September of this year, PACE recommended numerous amendments to the 2021 Version including: adding language concerning “the principle of proportionality” into Article 13; adding language into Article 14 Section 2 that processing according to this provision constitutes “a necessary and proportionate measure in a democratic society;” and adding a requirement into the Protocol that compels Parties to make use of “investigative instruments at their disposal … also on behalf of the defence.”[56] Next, the Committee of Ministers will vote on whether to integrate any recommendations from PACE into the final text.[57] The announced goal is to complete approval of the protocol by November, 2021, to take effect in 2022.[58]
These statements are attributable only to the authors, and their publication here does not necessarily reflect the views of the Cross-Border Data Forum or any participating individuals or organizations.
[1] With this schedule, the protocol is expected to be open for signature to parties of the Budapest Convention in 2022. “E-Evidence Protocol Approved by Cybercrime Convention Committee,” Cybercrime News, Council of Europe (May 31, 2021), https://www.coe.int/en/web/cybercrime/-/e-evidence-protocol-approved-by-cybercrime-convention-committee; see “20 Years of the Convention on Cybercrime: Join the Celebration!” Cybercrime News, Council of Europe (Sep. 28, 2021), https://www.coe.int/en/web/cybercrime/-/20-years-of-the-convention-on-cybercrime-join-the-celebration-. Signatories include: EU Member States, Australia, Canada, Israel, Japan, the U.K., and the U.S. “Parties/Observers to the Budapest Convention and Observer Organisations to the T-CY,” Council of Europe https://www.coe.int/en/web/cybercrime/parties-observers.
[2] Jennifer Daskal, Peter Swire & Théodore Christakis, “The Globalization of Criminal Evidence,” IAPP (Oct. 16, 2018), https://iapp.org/news/a/the-globalization-of-criminal-evidence/.
[3] “[M]ore than half of all investigations involve a cross-border request to access [electronic] evidence.” Commission Staff Working Document: Impact Assessment, Accompanying the Document, Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters and Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, European Commission (July 17, 2018), https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018SC0118&from=EN.
[4] 5 Conclusion, Summary of Comments on Opinions by Council of Europe Committees and Submissions by Other Stakeholders on the Draft 2nd Additional Protocol to the Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (May 2021), https://rm.coe.int/0900001680a2aa1dVersion.
[5] On May 28, 2021, the drafters released Version 3 of the Second Additional Protocol, which included for the first time a discussion in the Explanatory Report of the data protection provisions. Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence, Draft Protocol Version 3 (May 28, 2021), Cybercrime Convention Committee (T-CY), Council of Europe, https://rm.coe.int/0900001680a2aa1c. This May 28 document is referenced in this article as the “2021 Version.”
On April 12, 2021, the Protocol Drafting Plenary of the Cybercrime Convention Committee (T-CY) made the complete text of the protocol publicly available (Version 2). Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence, Draft Protocol Version 2 (Apr. 12, 2021), Cybercrime Convention Committee (T-CY), Council of Europe, https://rm.coe.int/2nd-additional-protocol-budapest-convention-en/1680a2219c. This draft was the first time that the language of new provisions related to data protection had been available to external shareholders, and even this draft was without an Explanatory Report for these new provisions related to data protection.
Comments from interested groups concerning Version 2 were due only three weeks after the draft’s release. “Consultations with Civil Society, Data Protection Authorities and Industry on 2nd Additional Protocol to the Budapest Convention on Cybercrime,” T-CY Committee, Council of Europe, https://www.coe.int/en/web/cybercrime/protocol-consultations. Because of the short timeframe for comments, numerous groups urged the T-CY to provide additional time for analysis – particularly related to the new provisions concerning data protection and privacy. A group of approximately 40 civil society groups from around the world – including Access Now, ARTICLE19, Electronic Frontier Foundation, Human Rights Watch, and Privacy International – sent a letter asking that external stakeholders be given “further opportunity to comment on the significant changes introduced to the text on the eve of the final consultation round.” Electronic Frontier Foundation et al., Letter Regarding Ensuring Meaningful Consultation in Cybercrime Negotiations (May 31, 2021), https://www.eff.org/files/2021/06/07/final_letter_-_council_of_europe-final.pdf. The EDPB noted that the short timeframe for review was “highly regrettable” – “given the importance of the draft provisions at stake and the need to ensure a sound consultation of all parties, and in particular data protection authorities.” EDPB Contribution to the 6th Round of Consultations on the Draft Second Additional Protocol to the Council of Europe Budapest Convention on Cybercrime (May 4, 2021), https://rm.coe.int/0900001680a26108.
[6] See Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence, Draft Protocol Version 1 (Oct. 1, 2019), Cybercrime Convention Committee (T-CY), Council of Europe, https://rm.coe.int/provisional-text-of-provisions-2nd-protocol-/168097fe64.
[7] 5 Conclusion, Summary of Comments on Opinions by Council of Europe Committees and Submissions by Other Stakeholders on the Draft 2nd Additional Protocol to the Convention on Cybercrime, Cybercrime Convention Committee (T-CY), Council of Europe (May 2021), https://rm.coe.int/0900001680a2aa1dVersion.
[8] EFF has written a series of articles detailing its concerns about the protocol. See Katitza Rodriquez, “EFF to Council of Europe: Cross Border Surveillance Treaty Must Have Ironclad Safeguards to Protect Individual Rights and Users’ Data,” EFF (Sep. 8, 2021), https://www.eff.org/deeplinks/2021/09/eff-council-europe-cross-border-police-surveillance-treaty-must-have-ironclad; Karen Gullo & Katitza Rodriquez, “EFF to Council of Europe: Flawed Cross Border Police Surveillance Treaty Needs Fixing – Here are Our Recommendations to Strengthen Privacy and Data Protections Around the World,” EFF (Aug. 30, 2021), https://www.eff.org/deeplinks/2021/08/eff-council-europe-flawed-cross-border-police-surveillance-treaty-needs-fixing; Katitza Rodriquez & Tamir Israel, “Global Law Enforcement Convention Weakens Privacy & Human Rights,” EFF (Jun. 8, 2021), https://www.eff.org/deeplinks/2021/06/global-law-enforcement-convention-weakens-privacy-human-rights.
[9] Deborah Brown, “Cybercrime is Dangerous, But a New UN Treaty Could Be Worse for Rights,” Human Rights Watch (Aug. 13, 2021), https://www.hrw.org/news/2021/08/13/cybercrime-dangerous-new-un-treaty-could-be-worse-rights#.
[10] EDPB Contribution to the 6th Round of Consultations on the Draft Second Additional Protocol to the Council of Europe Budapest Convention on Cybercrime (May 4, 2021), https://rm.coe.int/0900001680a26108.
[11] Statement 02/2021 on New Draft Provisions of the Second Additional Protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), EDPB (Feb. 2, 2021), https://edpb.europa.eu/sites/default/files/files/file1/statement022021onbudapestconventionnewprovisions_en.pdf; see Convention 108 and Protocols, Council of Europe, https://www.coe.int/en/web/data-protection/convention108-and-protocol.
[12] Appendix – Hearing on 14 September 2021, Draft Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence, Report Doc. 15379 (Sep. 28, 2021), Committee on Legal Affairs and Human Rights, PACE, https://pace.coe.int/en/files/29475/html#_TOC_d19e556; see Karen Gullo & Katitza Rodriguez, “EFF to Council of Europe: Flawed Cross Border Police Surveillance Treaty Needs Fixing – Here are Our Recommendations to Strengthen Privacy and Data Protections Across the World,” EFF (Aug. 30, 2021), https://www.eff.org/deeplinks/2021/08/eff-council-europe-flawed-cross-border-police-surveillance-treaty-needs-fixing.
[13] According to the report, the Protocol “strikes a reasonable balance” that allows “minimum standards of protection” for all parties while allowing parties that choose to do so to increase privacy protections without those heightened standards jeopardizing “the common goal of the Convention … to make international co-operation in the fight against cybercrime more efficient and effective.” Draft Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence, Report Doc. 15379 (Sep. 28, 2021), Committee on Legal Affairs and Human Rights, PACE, https://pace.coe.int/en/files/29475/html#_TOC_d19e556.
[14] Draft Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence, Opinion 299 (2021) – Provisional Version, PACE, https://pace.coe.int/en/files/29530/html; see Draft Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence, Report Doc. 15379 (Sep. 28, 2021), Committee on Legal Affairs and Human Rights, PACE, https://pace.coe.int/en/files/29475/html#_TOC_d19e556.
[15] The full list of suggestions in PACE’s opinion are as follows:
– “enshrine the application of the principle of proportionality in the text of Article 13, in addition to this being mentioned in the Draft Protocol’s explanatory report;”
– “specify in Article 14 paragraph 2 that the further processing of personal data by the receiving Party shall be provided by law, and shall constitute a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest or shall otherwise provide for the adequate protection of human rights and liberties;”
– “include in the list of information to be made available to data subjects under Article 14 paragraph 11 the contact details of the competent data controller;”
– “update paragraph 12.b of the Draft Protocol so as to ensure that as a general rule, information to individuals related to access and rectification shall be provided free of charge;”
– “expressly recognise in the text of the Draft Protocol or its explanatory report that privileges and immunities of certain professions such as lawyers, doctors, journalists, religious ministers, or parliamentarians shall be respected;”
– “make mandatory the public disclosure, by oversight authorities, of aggregate information on the use of the measures under the Protocol and on the number of individuals affected by them;”
– “in the provisions allowing evidence taking by video conferencing, to accommodate witness protection measures available at national level; and to include the possibility for lawyers to participate in a hearing conducted by video conference to be able to defend their clients’ interests;”
– “to enhance ″equality of arms″ between prosecution and defence by compelling the competent authorities of the Parties to make use of the investigative instruments placed at their disposal by the Draft Protocol also on behalf of the defence.”
Draft Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence, Opinion 299 (2021) – Provisional Version, PACE, https://pace.coe.int/en/files/29530/html. These recommendations are identical to those found in the draft opinion by Report by PACE’s Committee on Legal Affairs and Human Rights. Draft Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence, Report Doc. 15379 (Sep. 28, 2021), Committee on Legal Affairs and Human Rights, PACE, https://pace.coe.int/en/files/29475/html#_TOC_d19e556.
[16] See Committee of Ministers, PACE, https://www.coe.int/en/web/cm/home?desktop=true. “E-Evidence Protocol Approved by Cybercrime Convention Committee,” Cybercrime News, Council of Europe (May 31, 2021), https://www.coe.int/en/web/cybercrime/-/e-evidence-protocol-approved-by-cybercrime-convention-committee.
[17] The subscriber information could include the subscriber’s identity, the subscriber’s payment information, the type of communication service used by the subscriber, the subscriber’s physical address as well as both the subscriber’s static and dynamic IP addresses. Explanatory Report Para. 93, 2021 Version.
[18] Version 2021 adds the following to the list of supplemental information to be included in the order: “if applicable, a statement that simultaneous notification has been made” concerning Section 5 of the article – a section that details a party choosing to require simultaneous notification of the order. Minor language changes have been made to Section 5 in the 2021 Version. See Article 7, 2021 Version; Article 4, 2019 Version.
[19] Article 10, 2021 Version; see Explanatory Report Para. 171, 2021 Version. The main language change from the 2019 Draft to the 2021 Version relates to the expectation for response time to the emergency request by the requested party. In the 2019 Draft, the timeframe was “the most rapidly expedited basis possible.” The 2021 Version uses the language: “rapidly expedited basis.”
[20] For domain name registration information, each party must permit entities to release this type of information, but the party has the option of deciding whether to require entities to respond to this type of request. Article 6, Section 2, 2021 Version; see Explanatory Report Para. 82-83, 2021 Version. With regard to expedited disclosure of stored data in an emergency situation, each party may decide at the time of signing or ratifying the protocol whether it will expedite requests only for subscriber information. Article 9, Section 1.b., 2021 Version; see Explanatory Report Para. 157, 2021 Version.
[21] Explanatory Report Para. 81, 2021 Version; see Matthew Kahn, “WHOIS Going to Keep the Internet Safe?” Lawfare (May 2, 2018), https://www.lawfareblog.com/whois-going-keep-internet-safe.
[22] Article 6, 2021 Version.
[23] The objective of Article 6 is to provide “an effective and efficient framework to obtain information for identifying or contacting the registrant of a domain name.” Explanatory Report Para. 76, 2021 Version. “‘Information … for identifying or contacting the registrant of a domain name’” refers to the information previously publicly available through so-called WHOIS lookup tools, such as the name, physical address, email address and telephone number of a registrant. Some Parties may consider this information a subset of subscriber information as defined in Article 18.3 of the Convention. Domain name registration information is basic information that would not permit precise conclusions to be drawn concerning the private lives and daily habits of individuals. Its disclosure may, therefore, be less intrusive than the disclosure of other categories of data.” Explanatory Report Para. 81, 2021 Version.
[24] Explanatory Report Para. 75, 2021 Version.
[25] Article 6, Section 2, 2021 Version; see Explanatory Report Para. 82-83, 2021 Version.
[26] The Explanatory Report notes that “the entity offering domain name registration services may need to determine whether to disclose the information sought.” A list of safeguards required by the Protocol is provided to assist the entity in making this determination. Explanatory Report Para. 83; see Explanatory Report Para. 75 (stating domain name registration information “may be personal data and may be protected under data protection regulations in the Party where the respective entity providing domain name registration services (the registrar or registry) is located or where the person to whom the data relates is located”).
[27] ICANN Comment, https://rm.coe.int/0900001680a25890. ICANN is the acronym for the Internet Corporation for Assigned Names and Numbers, https://www.icann.org/en. “Information … for identifying or contacting the registrant of a domain name” refers to the information previously publicly available through so-called WHOIS lookup tools, such as the name, physical address, email address and telephone number of a registrant.” Explanatory Report Para. 81; see “An Update on ICANN’s GDPR-Related Efforts, ICANN (Dec. 23, 2020), https://www.icann.org/en/blogs/details/an-update-on-icanns-gdpr-related-efforts-23-12-2020-en.
[28] Comment from the New Zealand’s Office of the Privacy Commissioner, https://rm.coe.int/0900001680a25893.
[29] EurolSPA Comment, https://rm.coe.int/0900001680a25789; see also Justin Hemmings, Sreenidhi Srinivasan & Peter Swire, “Defining the Scope of ‘Possession, Custody, or Control’ for Privacy Issues and the Cloud Act,” Journal of National Security Law and Policy (Oct. 7, 2019) (examining the concept of “possession, custody, or control” in U.S. law as well as similar standards in other nations), https://jnslp.com/2020/01/23/defining-the-scope-of-possession-custody-or-control-for-privacy-issues-and-the-cloud-act/.
[30] Article 9, 2021 Version; see Explanatory Report Para. 155, 2021 Version (referencing the term “computer data” in Article 1.b. of the Budapest Convention); see also Explanatory Report Para. 70, 2021 Version. The Budapest Convention defines “computer data” to mean “any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function.” Article 1.b, Council of Europe Convention on Cybercrime (Budapest Convention) (2001), https://rm.coe.int/1680081561.
[31] Article 3, 2021 Version.
[32] Explanatory Report Para. 42, 2021 Version.
[33] Article 9, Section 1.b, 2021 Version; see Explanatory Report Para. 157, 2021 Version. The Explanatory Report Notes that receiving expedited requests only for subscriber information could overburden certain 24/7 Networks. Explanatory Report Para. 157, 2021 Version.
[34] Explanatory Report Para. 152, 2021 Version.
[35] Kaspersky Comment, https://rm.coe.int/0900001680a26122. Kaspersky is a global cybersecurity company. Kaspersky, https://usa.kaspersky.com/.
[36] EurolSPA Comment, https://rm.coe.int/0900001680a25789; see also Justin Hemmings, Sreenidhi Srinivasan & Peter Swire, “Defining the Scope of ‘Possession, Custody, or Control’ for Privacy Issues and the Cloud Act,” Journal of National Security Law and Policy (Oct. 7, 2019) (examining the concept of “possession, custody, or control” in U.S. law as well as similar standards in other nations), https://jnslp.com/2020/01/23/defining-the-scope-of-possession-custody-or-control-for-privacy-issues-and-the-cloud-act/.
[37] The parties may require stronger protections than those in the provision for data processed by their own authorities. Explanatory Report Para. 226, 2021 Version.
[38] Article 15, Council of Europe Convention on Cybercrime (Budapest Convention) (2001), https://rm.coe.int/1680081561; see also Conditions and Safeguards under Article 15 of the Convention on Cybercrime in the Eastern Partnership, Cybercrime@EAP 2018 (May 5, 2018), https://rm.coe.int/conditions-and-safeguards-under-article-15-of-the-convention-on-cyberc/16808f1e39.
[39] Comment by Office of the Privacy Commissioner of Canada, https://rm.coe.int/0900001680a25785.
[40] Access Now Comment, https://rm.coe.int/0900001680a25783.
[41] Article 14, Section 1.a, 2021 Version; see Article 14, Sections 2-15, 2021 Version.
[42] “In this context, a framework would generally be considered as being ‘comprehensive’ where it comprehensively covers the data protection aspects of the data transfers.” Explanatory Report Para. 222, 2021 Version; see Article 14, Section 1.b, 2021 Version.
[43] Explanatory Report Para. 222, 2021 Version; see Convention 108 and Protocols, Council of Europe, https://www.coe.int/en/web/data-protection/convention108-and-protocol; Agreement Between the United States of America and the European Union on the Protection of Personal Information Related to the Prevention, Investigation, Detection, and Prosecution of Criminal Offences, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:22016A1210(01)&rid=3.
[44] See Katitza Rodriquez & Tamir Israel, “Global Law Enforcement Convention Weakens Privacy & Human Rights,” EFF (June 8, 2021) (discussing Article 14 of the Protocol and the U.S. CLOUD Act), https://www.eff.org/deeplinks/2021/06/global-law-enforcement-convention-weakens-privacy-human-rights.
[45] In the Explanatory Report, parties are encouraged to make such determinations publicly available. Explanatory Report Para. 223, 2021 Version.
[46] Article 14, Section 1.d., 2021 Version.
[47] Article 14, Section 1.d, 2021 Version.; see Explanatory Report Para. 224, 2021 Version. Note that parties are not prevented from “applying stronger safeguards to the processing by their own authorities of personal data received under the Protocol.” Article 14, Section 1.e., 2021 Version (emphasis added); see Explanatory Report Para. 226, 2021 Version.
[48] Article 14, Section 1.d., 2021 Version; see Explanatory Report Para. 225, 2021 Version.
[49] Katitza Rodriquez, “EFF to Council of Europe: Cross Border Surveillance Treaty Must Have Ironclad Safeguards to Protect Individual Rights and Users’ Data,” EFF (Sep. 8, 2021), https://www.eff.org/deeplinks/2021/09/eff-council-europe-cross-border-police-surveillance-treaty-must-have-ironclad.
[50] CS Coalition Comment, https://rm.coe.int/0900001680a25788; EFF Comment, https://www.eff.org/files/2021/08/17/20210816-2ndaddprotocol-pace-ver2-final.pdf; EurolSPA Comment, https://rm.coe.int/0900001680a25789.
[51] Access Now Comment, https://rm.coe.int/0900001680a25783; ADC Comment, https://rm.coe.int/0900001680a25784; CS Coalition Comment, https://rm.coe.int/0900001680a25788; EFF Comment, https://www.eff.org/files/2021/08/17/20210816-2ndaddprotocol-pace-ver2-final.pdf.
[52] Resolution Adopted by the General Assembly on 27 December 2019: Countering the Use of Information and Communications Technologies for Criminal Purposes, United Nations General Assembly (Jan. 20, 2020), https://undocs.org/A/Res/74/247; see “U.N. Approves Timetable for New Treaty to Combat Cybercrime,” AP (May 27, 2021), https://apnews.com/article/united-nations-general-assembly-united-nations-technology-06be1f9990a541ecdeb25ab01fc89df1.
[53] Belarus, Cambodia, China, Democratic People’s Republic of Korea, Myanmar, Nicaragua, Russian Federation, and Venezuela (Bolivarian Republic of): Draft Resolution, Countering the Use of Information and Communications Technologies for Criminal Purposes, United Nations General Assembly (Oct. 11, 2019), https://undocs.org/en/A/C.3/74/L.11.
[54] General Assembly Adopts Resolution Outlining Terms for Negotiating Cybercrime Treaty, United Nations Meetings Coverage and Press Releases (May 26, 2021), https://www.un.org/press/en/2021/ga12328.doc.htm; see Ad Hoc Committee Established by General Assembly Resolution 74/247, United Nations Office on Drugs and Crime, https://www.unodc.org/unodc/en/cybercrime/ad_hoc_committee/home.
[55] “The EU underlines its continued support for the Budapest Convention on Cybercrime as a comprehensive multilateral legal framework for developing national legislation and international cooperation to tackle cybercrime and emphasises the complementarity between UN efforts and the already existing international instruments in this field and the importance of respect for human rights and fundamental freedoms.” EU Priorities at the United Nations During the 76th United Nations General Assembly, September 2021 – September 2022,” Council of the European Union (Jul. 12, 2021), https://www.consilium.europa.eu/media/51240/st10393-en21.pdf.
[56] Draft Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence, Opinion 299 (2021) – Provisional Version, PACE, https://pace.coe.int/en/files/29530/html.
[57] See Committee of Ministers, PACE, https://www.coe.int/en/web/cm/home.
[58] “20 Years of the Convention on Cybercrime: Join the Celebration!” Cybercrime News, Council of Europe (Sep. 28, 2021), https://www.coe.int/en/web/cybercrime/-/20-years-of-the-convention-on-cybercrime-join-the-celebration-; “E-Evidence Protocol Approved by Cybercrime Convention Committee,” Cybercrime News, Council of Europe (May 31, 2021), https://www.coe.int/en/web/cybercrime/-/e-evidence-protocol-approved-by-cybercrime-convention-committee.
[59] “Cybercrime: Council of Europe Strengthens its Legal Arsenal” Newsroom, Council of Europe (November 17, 2021), https://www.coe.int/en/web/portal/-/cybercrime-council-of-europe-strengthens-its-legal-arsenal.