On 28 February 2017, the Cybercrime Convention Committee (T-CY) adopted its ‘Guidance Note #10 – Production orders for subscriber information (Article 18 Budapest Convention)’ drafted by the Cloud Evidence Group (CEG). The Guidance Note is not a legally binding instrument, but it is a strong official statement of the Parties’ policies and should lead to improved cross-border cooperation between criminal justice authorities and service providers.
Article 18.1.a of the Cybercrime Convention states, in a nutshell, that a person (which may include a service provider) under a Party’s jurisdiction may be ordered to ‘submit specified computer data in that person’s possession or control’. The T-CY agreed that ‘possession’ also means a situation when a person ‘freely controls the computer data to be submitted under Article 18.1.a from within the Party’s territory’, which also applies to data in the cloud. For example, a citizen of country A who is present in country B can therefore be ordered by country B to submit his data, possibly located in countries C, D and E.
According to Article 18.1.b, ‘a service provider offering its services in the territory of the Party [can be ordered] to submit subscriber information relating to such services in that service provider’s possession or control’, which includes situations such as a webmail provider based in country A submitting information to a law enforcement authority from country B about a webmail user from country B, while the information is physically held in country C.
While this is expedient from the perspective of criminal justice, it also means that the Parties to the Convention will limit their exclusive right to exercise jurisdiction. The T-CY hastens to add that ‘[a]greement to this Guidance Note does not entail consent to the extraterritorial service or enforcement of a domestic production order issued by another State nor creates new obligations or relationships between the Parties’. Nevertheless, the Guidance Note is exactly the kind of proclamation by a Party to the Convention which can constitute opinio juris, and thus create customary law. It will be interesting to see to what extent the Parties are willing to apply this interpretation and cooperate more closely, so that the nascent custom is supported by state practice.
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.