EU Data Protection Commissioner Wojciech Wiewiórowski has raised serious concerns about the additional protocol to the Council of Europe’s Cybercrime Convention for access to cloud data. In the form adopted in November, the so-called e-evidence agreement undermines “the level of protection for natural persons guaranteed by EU law,” criticizes Wiewiórowski. In view of the risks “related to the processing of personal data of natural persons in criminal matters”, EU countries would have to put in place additional safeguards.
The Committee of Ministers of the Council of Europe adopted the second additional protocol to mark the 20th anniversary of the signing of the Convention on Cybercrime (Budapest Convention), which in itself has long been controversial, decided in late autumn. It is intended to provide a legal basis for the transfer of information on the registration of domain names and for direct cooperation with the service providers with regard to inventory, location and connection data. Direct cooperation in emergencies and instruments for mutual administrative assistance are also planned.
Significant threats to fundamental rights
The protocol is expected to be ratified by May. Two proposals are already being discussed in the EU Council of Ministers, which should authorize all member states to sign accordingly. According to Wiewiórowski, the agreement would also allow countries outside the EU to “request the disclosure of certain types of information” from service providers within the community. Such a procedure harbors considerable dangers “for the fundamental rights to privacy and data protection”.
The chief of the supervisory authority therefore believes that requests for access to the data concerned, such as IP addresses and access numbers, should only be granted if they are first transmitted to the authorities of the member states. For these reasons, Wiewiórowski recommends that EU states reserve the right not to apply the provision on direct cooperation with service providers in this context. You would have to ensure that “additional safeguards are maintained when reviewing these applications”.
It is also advisable to commission a judicial authority or another independent agency to check requests for information, says the statement. In addition, EU countries would first have to clarify the interaction between the protocol and other international agreements such as a planned relevant framework agreement between the EU and the USA. This means that different data protection regulations than those provided for in the new agreement of the Council of Europe could apply.
According to Wiewiórowski, the principles of data protection include fairness, correctness and the relevance of the information, independent supervision and the rights of those affected to access and correct data, for example for individuals, public institutions and companies. These principles are particularly important in this case given the sensitivity of the data being processed.
Agreements with third countries required
The data protection officer emphasized that investigating and prosecuting criminal offenses and exchanging information internationally for this purpose is a legitimate goal. “Sustainable” agreements with third countries are required for this. These would have to be fully compatible with existing EU law. Previously had himself the European Data Protection Board (EDPB) made a similar statement. An examination of inquiries by judges, public prosecutors or at least an independent authority should only be dispensed with in emergencies.
Over 40 civil society organizations such as the Electronic Frontier Foundation (EFF), European Digital Rights (EDRi) and the Chaos Computer Club (CCC) complained in early summer a submission to the Council of Europethat the new protocol undermines anonymity on the Internet. This threatens the security of activists, dissidents, journalists and the right to freedom of expression of all citizens. Articles 7 and 8 in particular provide for “dramatic police powers”. Accordingly, the states involved would have to remove all legal obstacles to “direct cooperation” between companies and law enforcement agencies. Privacy laws that prevent internet companies from naming their customers to foreign police authorities without a court order are incompatible with Article 7 and would have to be amended if ratified.