Council of Europe Ponders a New Treaty on Cloud Evidence

On 8 June 2017, the 17^th Plenary of the Cybercrime Convention Committee (T-CY) of the Council of Europe approved the ‘ Terms of Reference for the Preparation of a Draft 2nd Additional Protocol to the Budapest Convention on Cybercrime’. If adopted, the 2^nd Additional Protocol should deal with criminal justice access to electronic evidence in the cloud, more effective mutual legal assistance, direct cooperation with service providers, and safeguards, including data protection requirements.

Electronic Evidence and Mutual Legal Assistance

The Convention on Cybercrime (Budapest, 23 November 2001) and its [1st] Additional Protocol concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (Strasbourg, 28 January 2003) are the most prominent international treaties dealing with cybercrime and, consequently, with cyber security. The Convention, which was originally drafted by the Council of Europe member states and the US and Canada, currently has a total of 55 ratifications and accessions worldwide, while the 1^st Additional Protocol has only 29. Nevertheless, both of these numbers are growing steadily, and the treaties are attracting more and more non-European countries.

The Convention obligates its Parties to take measures at the national level to harmonise their substantive criminal law (Articles 2 – 13) and procedural law (Articles 14 – 22). The Convention also regulates international cooperation between the Parties (Articles 23 – 35). The Convention deals with electronic evidence related to both cybercrimes (such as hacking) and traditional crimes (such as violent crimes).

The Convention also contains provisions on Mutual Legal Assistance (MLA), but the process is ‘considered inefficient in general, and with respect to obtaining electronic evidence in particular. Response times to requests of six to 24 months appear to be the norm.’ Therefore, the Parties to the Convention have been looking for ways to streamline the process. Among other options, they considered regulating transborder access to stored data according to Article 32 of the Convention; however, this attempt to facilitate the cooperation ended inconclusively in 2014. At the same meeting, the T-CY also came up with an assessment of MLA provisions of the Convention, including conclusions and recommendations (pages 123-128).

The T-CY Cloud Evidence Group

The T-CY Cloud Evidence Group (CEG) was established at the 12^th T-CY Plenary (2-3 December 2014) to ‘explore solutions for access to evidence in the cloud for criminal justice purposes, including through mutual legal assistance’.

Cloud computing’s key characteristic is independence of location, which presents the criminal justice authorities with several problems. The data of a citizen of country A can be stored in countries B, C and D by a cloud service provider based in country E. Even if the data can be localised to a particular country, it is still not clear which country’s rules will apply to lawful access by the authorities, leading to serious jurisdictional problems.

The CEG summed up the problems and recommends solutions in its final report from 16 September 2016. It recommended that the T-CY ‘ensure follow up to the T-CY Recommendations on MLA adopted in December 2014’. Other recommendations include adopting the Draft Guidance Note on Production Orders (see the earlier Incyder article), reviewing domestic access to subscriber information, and facilitating practical cooperation between service providers and criminal justice authorities on ‘disclosure of subscriber information upon a lawful request in a specific criminal investigation but also with respect to emergency situations’.

These recommended measures seek to improve on the procedures that are already established by the Convention, most notably Article 18 dealing with production orders for subscriber information. However, they only have a limited effect and offer a provisional solution. Therefore, the main recommendation of the CEG to T-CY was to consider the preparation of a draft Protocol to the Budapest Convention. The T-CY then had the CEG submit Terms of Reference for the drafting process.

The Preparation of the 2^nd Additional Protocol to the Budapest Convention

The Terms of Reference for the Preparation of a Draft 2nd Additional Protocol to the Budapest Convention on Cybercrime were approved by the 17th Plenary of the T-CY on 8 June 2017. The Terms of Reference also lay out a possible scope of the 2^nd Additional Protocol:

• Provisions for more effective mutual legal assistance:

– a simplified regime for mutual legal assistance requests for subscriber information;

– international production orders;

– direct cooperation between judicial authorities in mutual legal assistance requests;

– joint investigations and joint investigation teams;

– requests in English language;

– audio/video hearing of witnesses, victims and experts; and

– emergency MLA procedures.

• Provisions allowing for direct cooperation with service providers in other jurisdictions with regard to requests for subscriber information, preservation requests, and emergency requests.
• Clearer framework and stronger safeguards for existing practices of transborder access to data.
• Safeguards, including data protection requirements.

The Drafting Group for the 2^nd Additional Protocol will hold its first meeting at the Council of Europe in Strasbourg on 19 and 20 September 2017. The next T-CY Plenary should work on the 2^nd Additional Protocol on 29 November 2017. According to the Terms of Reference of the Drafting Group, a ‘draft Second Additional Protocol to the Convention on Cybercrime (ETS 185) – including an Explanatory Report – [will be] prepared and finalised by the T-CY by December 2019.’

Benefits and Pitfalls of the 2^nd Additional Protocol

If the 2^nd Additional Protocol is adopted by enough Parties to the original Convention, it will become its most important addition since 2001. It has the potential to facilitate the exchange of data vital to criminal proceedings. There are two difficulties: first, how to ensure that service providers comply with all the requests from all of the Parties whilst ensuring the protection of fundamental rights (such as Google handing over personal data to a Party with a controversial human rights record); and second, the interaction of the 2^nd Additional Protocol and EU personal data law, most importantly the GDPR and the Police Directive which will apply from May 2018, but also the rapidly developing case law of the CJEU (Digital Rights Ireland, Schrems, Tele2 Sverige).

The drafting of the 2^nd Additional Protocol will be a major effort which could have an impact on how states perceive sovereignty and jurisdiction in cyberspace (for detailed discussion of the current status, see Rules 8 – 13 of the Tallinn Manual 2.0). It may expand states’ jurisdictions with respect to cybercrime investigations and thus lead to more practical cooperation and the ultimate goal of safer and more open cyberspace for all.

Tomáš Minárik

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.