The Council of Europe (CoE) is on track to approve the Second Additional Protocol to the Budapest Cybercrime Convention, which will set new invasive international rules for law enforcement access to user data and cooperation between States conducting criminal investigations. In our recent joint civil society submission to the CoE’s Parliamentary Assembly we recommended 20 solid amendments to preserve the Protocol’s objective—facilitating efficient and timely cross-border investigations between countries with varying legal systems—while embedding a much-needed baseline to safeguard human rights. In this post, the second in a series about our recommendations, we examine how the current Protocol’s text threatens privacy rights in Latin America, a region with deeper challenges for fulfilling human rights safeguards and the rule of law compared to many European countries.
Article 7 of the Protocol is among the most troubling provisions, raising privacy concerns regarding police cross-border access to subscriber data. As we have written, Article 7 establishes procedures for law enforcement in one country to request access to subscriber data directly from service providers located in another country under the requesting country’s legal standards. This can create unjustifiable asymmetries in national law by applying to foreign authorities a more permissive, less privacy-protective legal basis to access subscriber data than what is granted to local law enforcement agencies under its own local law.
Article 7 focuses on authorizing police access to subscriber data. Why does subscriber data matter? Your IP address can tell authorities what websites you visit and who you communicate with. It could reveal otherwise anonymous online identities, your social networking contacts and, even at times, your physical location via GPS. Police can request your name, the subscriber data to link your identity to your online activity, and that can be used to create a nicely detailed police profile of your daily habits .
When and How Cross-Border Police Direct Cooperation Rules Will Perniciously Affect Latin American Countries
We see at least two possible scenarios for how pernicious Article 7 could be on Latam frameworks for lawful access to communications data in criminal investigations. First, this provision can serve as an influence to drive down standards in the region for accessing subscriber information (and unveiling a user’s identity). Second, it can potentially export globally a broader definition of what constitutes “subscriber information,” expanding the categories of communications data encompassed by a third-class protection standard. All in all, Article 7 contains serious flaws that should be fixed before it can serve as a robust rights-protective model to pursue and endorse.
With CoE’s final adoption of the draft Protocol, countries in Latin America already parties to the original 2001 Budapest Convention will be able to ratify or accede to the Second Protocol. To date, those countries are Argentina, Chile, Costa Rica, Colombia, Dominican Republic, Panama, Paraguay, and Peru. Brazil and Mexico were invited to become parties and currently act as observers. The Budapest Convention, the first international treaty addressing internet and computer crime by harmonizing national laws and increasing cooperation among nations, has been influential in the region, acting as a model for cybercrime regulation and production of electronic evidence, even for countries that are not parties of the Convention. As many law enforcement authorities want access to potential electronic evidence across borders, Latin American countries will likely seek accession to the Protocol because of its cooperation rules. But if the final text passes without our recommended amendments, the Protocol will encourage Parties to reinforce weaker privacy standards already in place in different Latam countries instead of fostering a growing trend in other nations in the region where domestic laws or court judgments have provided stronger human rights protections.
That’s because of another concerning mandate in Article 7: in countries with laws that prevent service providers from voluntarily responding to subscriber data requests without appropriate safeguards—such as a reasonable ground requirement and/or a court order—Article 7 requires these legal “impediments” be removed for cross-border requests. Those countries with higher standards are allowed to reserve the right not to abide by Article 7, but only at the time of the signature/ratification/approval, and not at a later stage. This means that in the future, Parties will be stuck with the inherent flaws in Article 7, and will be unable to designate Article 8—another, slightly more privacy-protective provision in the Protocol for getting data across borders—as the sole means of accessing some or all types of subscriber data, even if their legal systems, because of new laws or court decisions, eventually recognize additional safeguards for subscriber information.
Moreover, although the Protocol stipulates important data protection safeguards, its current text contains provisions that will allow State parties to bypass them (as we will further explain in the third post of this series).
Levelling Down Subscriber Information Protections
Countries in the region have adopted varying degrees of privacy safeguards in criminal investigations. Mexico‘s legal framework has good standards, at least on the books, requiring judicial authorization for disclosing stored communications data, including subscriber information, and calling for authorities to specify targets and time periods as well as justify the need for the information sought. In Brazil, when it comes to accessing internet users’ subscriber data (dados cadastrais, in Portuguese), authorities with express legal power to access subscriber information aren’t required to obtain a warrant to access the data. Authorities’ direct requests to service providers must indicate the explicit legal basis for the request and must specify the individuals whose information is being sought (generic and non-specific collective requests are prohibited).
But Brazilian police agencies dispute that direct requests are authorized only for certain legally specified cases and push for a broader interpretation of their powers. The National Association of Mobile Service Providers (ACEL) went to Brazil’s Supreme Court to assert users have constitutional privacy protections when the government is requesting communications data, including subscriber information. But with the case still pending in court, a proposal to reform the country’s Criminal Procedure Code is looking to side with law enforcement by generally authorizing police and prosecutors to directly request subscriber data from service providers.
This push to allow law enforcement agents to access subscriber data without a prior court order reflects bad practices adopted in some Latin American countries like Panama, Paraguay, and Colombia. In Colombia, a simple administrative resolution sets out that telecommunications service providers must allow authorities to remotely connect with their systems to obtain user information. Other countries, like Argentina, do not have legal rules or case law specifically addressing law enforcement access to subscriber information.
The Protocol’s Article 7 rules for service providers’ direct cooperation with law enforcement aligns with the region’s weaker privacy standards. It also hinders companies’ best practice commitments to interpret local laws in a way that provides the most privacy protections for users. In collaboration with EFF, leading digital rights groups in Latin America and Spain have been pushing companies to make greater commitments on that front. Who Defends Your Data assessments, inspired by EFF’s Who Has Your Back project, have encouraged companies to improve their privacy practices in recent years, demonstrating that local privacy laws should be the ground, and not the ceiling, for companies’ efforts in supporting users’ fundamental rights.
For example, Chilean ISPs have adopted best practices to require a judicial order before handing over users’ information (see GTD‘s and Claro‘s law enforcement guidelines) and to only comply with individualized personal data requests (in addition to Claro, see Entel‘s guidelines). Chilean law does not explicitly create an artificial distinction among different types of communications data, but instead the country’s Criminal Procedure Code allows a more protective standard by requiring a prior warrant in all proceedings that affect, deprive, or restrict an accused or a third-party’s constitutional privacy rights. Since 2017, Derechos Digitales’ Who Defends Your Data reports have been calling on Chilean companies to commit to the most protective interpretation of legal standards concerning communications data disclosures including subscriber data.
In early 2020, Chile’s Prosecutor’s Office sought to obtain all mobile phone numbers that had connected to antennas in Santiago’s subway stations, where fires marked the beginning of the country’s 2019 social uprising. By obtaining the mobile phone numbers, it would be possible to identify their owners. Most of the ISPs did not comply with the prosecutor’s direct request without a judicial examination. This case is a clear demonstration of how subscriber information, which unveils a user’s identity linked to specific activities, can provide sensitive details of individuals’ daily lives.
In our submission, we recommend removing Article 7 since it erodes privacy standards even where appropriate protections already exist. This amendment would permit Article 8, mentioned above, to become the primary legal basis by which subscriber data is accessed in cross-border contexts. Article 8 authorizes the requesting authority to submit a production order to the receiving national authority so it can compel local service providers to produce stored subscribers and “traffic data.” Even though Article 8 could also benefit from additional safeguards, such as setting a prior judicial authorization standard, it provides stronger protections than Article 7. Article 8 requires the involvement of the receiving Party’s national authorities that can, applying standards contained in its own national laws, compel the production of subscriber data to the local service provider located in its territory.
Broadening the Scope of Third-Class Protection for Subscriber Information
We wrote about the “second-class” protection still granted to metadata in the region. Latam domestic privacy laws often treat metadata as less worthy of protection compared to the contents of a communication. The Budapest Convention has always promoted the distinction between “traffic data” (equivalent to “metadata”) and “subscriber information,” and defines them separately. The Protocol uses this distinction to incorporate a lower level of protection for subscriber information in the context of cross-border requests. But as our 13 Principles on the application of human rights to communications surveillance states, these formalistic categories of data “content,” “subscriber information,” or “metadata” are no longer appropriate for measuring how intrusive communications surveillance is for individuals’ private lives and associations. While it has long been agreed that communications content deserves significant protection in law because of its capability to reveal sensitive information, it is now clear that other information arising from communications, including subscriber data and metadata, may reveal deeply sensitive aspects about an individual, and thus deserves similarly robust protections.
Unfortunately, the Convention’s broad definition of subscriber information, which includes IP addresses, exacerbates the Protocol’s callous treatment of this category of information, giving it third-class treatment.
That definition goes beyond, for example, the Brazilian legal definition of subscriber data (dados cadastrais). In fact, IP addresses are considered part of connection and application logs, only disclosed by means of a prior judicial authorization—without the exception for direct requests, referred to above, that may apply to subscriber data. As the Protocol’s Explanatory Report underlines, IP address-related information and other access numbers may be treated as traffic data in some countries, which is why the Second Additional Protocol (Article 7, paragraph 9.b) allows Parties to reserve the right not to apply Article 7 to certain types of access numbers.
However, Article 7, paragraph 7.9.b’s reservation is only possible when disclosing those access numbers through direct cross-border cooperation “would be inconsistent with the fundamental principles of [the] domestic legal system.” But in many Latam legal systems, judicial control and/or the presence of reasonable grounds for communications data aren’t clearly spelled out. They often rely on legislation that does not clearly distinguish types of information, case law explicitly addressing only telephone communications, or protective interpretations fostered by companies’ best practices. This situation could not only hamper the use of the reservation clause, when countries eventually sign the Protocol, but may also function as a tool for spreading a general understanding of the scope of “subscriber information,” conveniently served with third-class protection standards.
In their landmark ruling affirming data protection as a fundamental right under the country’s Constitution, Brazilian Supreme Court justices pointed out how changes in our technological landscape demand more cautious treatment of subscriber information. Justice Rosa Weber recalled public telephone directories that contained people’s names, telephone numbers, and addresses, asserting that “what could be done from the publicization of such personal data [a few decades ago] is not comparable to what can be done at the current technological level, where powerful data processing, cross-referencing and filtering technologies allow the formation of extremely detailed individual profiles.” Also mentioning public telephone directories, Justice Cármen Lúcia went as far as to say “this world is over!”—referring to how personal information can now be gathered and analyzed to reveal details of our personal lives.
Article 7 of the Second Protocol is way out of step with the realities of how today’s technology can be used to threaten privacy, relying on an outdated and incorrect assumption, put forward in the Protocol’s Explanatory Report, that subscriber information “does not allow precise conclusions concerning the private lives and daily lives of individuals concerned.”
We hope that CoE’s Parliamentary Assembly removes Article 7 in its entirety from the text of the Protocol, allowing Article 8 to form the primary basis by which user information is disclosed in cross-border contexts. This would allow cross-border cooperation in accessing people’s private information to properly align with advancements in privacy protections being made in national law. That will help to avoid the drift towards third-class protection for user information that can unveil people’s identities and link them to specific online activities. Alternatively, if the Parliamentary Assembly retains Article 7, it must be amended to prevent foreign efforts to sidestep domestic safeguards when seeking access to user data.
The Assembly has the opportunity to ensure respect for human rights in cross-border police investigations. Improving the Protocol’s safeguards will carry weight with stakeholders at the national level and influence their decisions to champion, instead of discard, proper privacy safeguards. CoE’s international rules should serve to tip the scale in favor of protecting fundamental rights instead of embracing surveillance tactics strongly lacking human rights protections.