Incyder news

 

05 June 2013


Subscribe

Transborder Data Access: Quo Vadis, Council of Europe?

The Council of Europe (CoE) has been examining the possibilities of supplementing or amending the Convention of Cybercrime, adopted in 2001, to ensure more effective use and implementation of the Convention.

The Council of Europe Cybercrime Convention Committee (T-CY) created an ad hoc sub-committee in 2011 to analyse the issues of jurisdiction and transborder access to data and data flows for the purposes of specific criminal investigations and proceedings in the context of Article 14 of the Convention. The demand for discussing these issues in depth arises from the need for a more effective fight against cybercrime and more operational access to electronic evidence, assuming that this is not sufficiently facilitated via Article 32(b) or through the provisions of mutual legal assistance treaties (MLAT).1

Under specific scrutiny were the following aspects:

  1. the use of Article 32b of the Convention on Cybercrime;
  2. the use of transborder investigative measures on the internet;
  3. the challenges to transborder investigations on the internet posed by applicable international law on jurisdiction and state sovereignty.

The sub-committee suggested in its report of December 20122 that the provisions of the Convention should be used more effectively, and proposed the preparation of a T-CY Guidance Note on Article 32.3 In addition, the report proposed considering initiating negotiations on an Additional Protocol regarding access to electronic evidence.

Article 32

Trans-border access to stored computer data with consent or where publicly available

A Party may, without the authorisation of another Party:

a) access publicly available (open source) stored computer data, regardless of where the data is located geographically; or

b) access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.

Public hearing on the possible Additional Protocol to the Budapest Convention on Cybercrime

In June 2013, the T-CY held a public hearing in Strasbourg to gather opinions from civil society and the private sector regarding4 a number of specific issues.5 Among others, the hearing discussed the possible elements of an Additional Protocol, which were reflected in five proposals: transborder access with consent without the limitation to data stored ‘in another Party’; transborder access without consent but with lawfully obtained credentials; transborder access without consent in good faith or in exigent or other circumstances; extending a search without the limitation ‘in its territory’ in Article 19.3; and the power of disposal as a connecting legal factor.6 These elements were also further discussed at the subsequent 9thPlenary of the T-CY.

Strong criticism

The proposals received strong criticism from most of the stakeholders at the public hearing.7 Partly, the criticism was directed at the privacy and data protection requirements and the notion of consent which needs to be that of a data subject instead of data controller. The aspects related to data protection are all the more challenging, given the fact that Cybercrime Convention Parties extend far beyond the Council of Europe’s territory. There are also other issues related to the lawfulness of the transborder access authorisation, the challenging interpretation of the terms such as ‘in good faith or in exigent circumstances’ and ‘the power of disposal of data’ in the transborder access context.8

As an alternative to the creation of the additional protocol, options were proposed for rendering MLAT provisions and the networks of points of contact more effective.9

Despite the criticism, the 9thPlenary, held shortly after, decided to start working on a draft 2nd Additional Protocol to the Convention.10

CoE