Cross-border access to data: Council of Europe submission

Today, 18 September 2017, a global coalition of civil society organisations, led by European Digital Rights (EDRi) and including Digital Rights Watch, submitted to the Council of Europe its comments on how protect human rights when developing new rules on cross-border access to electronic evidence (“e-evidence”). The Council of Europe is currently preparing an additional protocol to the Cybercrime Convention.

E-evidence refers to digital or electronic evidence, such as contents of social media, emails, messaging services or data held in the cloud – access to which is often required in criminal investigations. Since in the digital environment the geographical borders are often blurred, investigations require cross-border cooperation between multiple public authorities and between public authorities and the private sector.

The new optional protocol aims to address three areas of activity:

  • the direct gathering of electronic evidence online by law enforcement agencies in one State, from ICT infrastructure and devices in another State;
  • closer cooperation between designated bodies in different states in relation to cross-border investigations and transnational collecting of evidence;
  • the direct requesting and obtaining of possibly highly sensitive personal information by law enforcement agencies in one State from private sector companies in another State, without the knowledge or consent of the latter country, bypassing its laws and potentially violating its sovereignty.

A group of 14 civil society organisations from around the world submitted comments and suggestions on the Terms of Reference for drafting a Second Protocol to the Cybercrime to the Council of Europe, with an aim to make sure that human rights are fully respected in the preparation of the new protocol. The global submission emphasises the importance of an inclusive, open and transparent drafting process, and includes key principles that will serve to guide the work of the Drafting group and allow for civil society to engage constructively in the coming two and a half years.

It is vital that the new protocol, if adopted, include and respect three basic principles:

  • Enforcement of jurisdiction by a State or State agency on the territory of another State cannot happen without the knowledge and agreement of the targeted State.
  • State-parties must comply with human rights principles and requirements, including under any powers granted or envisaged in or under the Cybercrime Convention and the proposed additional protocol.
  • Unjustified forced data localisation should be banned. Data transfers between jurisdictions should not occur in the absence of clear data protection standards.

EDRi handed the comments over to Mr. Alexander Seger, the Executive Secretary of the Cybercrime Convention Committee of the Council of Europe.

“Over the next two and a half years, the work on the new protocol needs to incorporate the civil society principles presented today”, said Joe McNamee, Executive Director of European Digital Rights.

“Global civil society is engaging in this process to ensure that any harmonisation in this crucial policy area is up to the highest human rights standards, in line with the ethos of the Council of Europe”, he added.

Alexander Seger, the Council of Europe’s anti-cybercrime coordinator, has welcomed the joint submission.