25^TH LEGAL ADVISERS MEETING
Panel on extraterritorial access to information: rights and duties of states

DREAMS BECOME PRACTICAL – HOW TO RECONCILE EFFECTIVE LAW ENFORCEMENT AND DATA PROTECTION?

Statement by
Mr Jörg POLAKIEWICZ

Director of Legal Advice and Public International Law
Council of Europe

New York, 27 – 28 October 2014

Ladies and gentlemen,
Dear colleagues and friends,

It is a great honour and pleasure for me to be with you this afternoon. I would like to thank the United Nations, Mr Miguel de Serpa Soares, Under-Secretary-General for Legal Affairs, and in particular my friend and colleague Max Alberto Diener Salas, the Mexican legal adviser, for having invited me to this prestigious event.

Two weeks ago, Mauritius hosted the 36th international conference of data protection and privacy commissioners under the theme of “A New World Order for Data Protection: Our Dream Coming True?” I believe that it is possible to achieve the dream of balancing privacy and security. Describing this goal as a dream does not mean that it is practically impossible to achieve it. As Michael Korda once said, “the more you can dream, the more you can do.”

I would therefore like to address our theme from a practical point of view, focusing on issues which are currently on the agenda of the Council of Europe. First, I shall present a concrete example of a treaty provision allowing extraterritorial access to information, namely article 32 of the Cybercrime Convention. Secondly, I shall address transborder access from a human rights perspective, focusing on the right to privacy under the ECHR and Data Protection Convention 108.

Extraterritorial access under the Budapest Convention

In the current worldwide discussion of surveillance measures and the right to privacy it is surprising how little attention is paid to an existing treaty regime which allows transborder access to data.

In 2001, together with Canada, Japan, South Africa and the United States of America, Council of Europe member states developed the Budapest Cybercrime Convention. With more than 50 signatories and requests for accession from countries all over the world, it is rapidly becoming a global framework of reference.

From the outset, it should be stressed that the Budapest Convention is a criminal law convention. It defines a number of computer-related offences and establishes a framework of cooperation between law enforcement authorities (LEA). It covers specific criminal investigations and proceedings, not the actions of intelligence services.

The provisions of the Budapest Convention remain valid, even more so today when “cyberspace is a world that we depend on every single day” because “it has made us more interconnected than at any time in human history.”^[1] The potential of this treaty has not yet been fully exploited. Effective implementation and application of its procedural law tools, and provisions on international cooperation, will help address many of the threats our societies face. As was stated by Mr Ban Ki-Moon, Secretary General of the United Nations, “the Internet is a prime example of how terrorists can behave in a truly transnational way; in response, States need to think and function in an equally transnational manner.”

As regards transborder access, the Convention’s article 32 (1) (b) reads as follows:

“A Party may, without the authorisation of another Party: 

b. access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.”

Article 32 (b) has always been a controversial provision which prima facie appears to interfere with fundamental principles of public international law such as state sovereignty and territorial integrity. Up to this day, it is regularly cited by a few countries as a reason for not becoming a party. The states negotiating the Budapest Convention did not regulate this provision in greater detail, leaving some measure of “constructive ambiguity” so that it can address different situations. It must also be taken into account that at the time of drafting, in the late 1990ties, there was only limited experience with the use of modern ICT in criminal investigations. It seemed premature to formulate broad general rules on the basis of only a few concrete cases.

The situation is quite different today. Based on more than a decade of practical experience with the application of the Convention, the parties are expected to adopt in December 2014 a “guidance note” seeking to clarify some of the key concepts mentioned in article 32 (b).

Here are just two examples of the scenarios that are being discussed:

• A suspected drug trafficker is lawfully arrested while his/her mailbox – possibly with evidence of a crime – is open on his/her smartphone.

• A teenager telephones her parents to say that she is walking home from a party but then disappears. The police would like to examine her numerous social-networking accounts.

Can LEAs, carry out searches under domestic procedures, with or without the consent of the owner of the accounts in question? In the second case, should the parents be permitted to give consent? It must be taken into account that it is often not known where the data is located. The data may be moving or fragmented over different jurisdictions and even the service provider may not know where it is located.

What is “transborder”, what is “location”?

Transborder access means “to unilaterally access computer data stored in another Party without seeking mutual assistance.”^[2]  Article 32 (b) refers to “stored computer data located in another Party”. This suggests that it is known where the data is located. It would appear that Article 32 (b) does not cover situations where the data are not stored in another party or where it is uncertain where the data are located. Given that article 32 (b) does “neither authorise, nor preclude” other situations, states may themselves evaluate the legitimacy of a search or other type of access in the light of domestic law, relevant international law principles or considerations of international relations.

What constitutes consent?

This question should be governed by the domestic law of the party to whom consent is given, that is, the party seeking transborder access. In most countries, cooperation in a criminal investigation requires explicit consent. For example, general agreement by a person to terms and conditions of an online service, often merely by ticking a box, would not constitute explicit consent even if these terms and conditions indicate that data may be shared with criminal justice authorities in cases of abuse.

The European Union’s Data Commissioners’ Article 29 Working Party highlighted data protection concerns with respect to an unfettered application of article 32 (b). In particular, it noted that "[c]onsent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.”

In a law enforcement context, however, "consent" is also understood to be the consent of LEA that need to exchange data in relation to a specific case. The most frequent scenario is that national LEA cooperate with service providers or other private sector entities to obtain access to data stored abroad. Article 32 (b) does indeed not exclude that the person providing “lawful and voluntary consent” to disclose data is a private sector entity controlling data.

Which law applies?

For practical purposes, it makes sense to apply the law of the searching party to determine “lawful consent” and whether a person is “lawfully authorised” to disclose data. In urgent situations of transborder access it would not seem feasible for the searching LEA to verify the rules governing the use of the data in the other party, and in any case, LEAs would normally act on the basis of the laws of their own state. However, if it is obvious that disclosing or providing access violates the laws of the other party or the rules on the use of the data, LEAs must not pursue transborder access.

In any case, LEAs must apply the same legal standards under article 32 (b) as they would domestically. If access or disclosure would not be permitted domestically, it cannot be authorised under the Budapest Convention.

What about the person who can provide access?

Paragraph 294 explanatory report offers a simple example of a natural person providing access to his email account or other data that s/he stored abroad.

The person providing access may also be an Internet or cloud service provider or another private sector entity holding data of an individual, for example, if the terms of service permit this or if the service provider has become the owner or has the power of disposal of the data. However, how far should service providers be allowed to consent to disclosure of their users’ data?

Article 32 (b) requires that a service provider grants access lawfully, which means in particular without violating privacy or other rights of data subjects. Disclosure may be possible for data "owned" by the private sector entity, such as traffic data, subscriber information or other network data, but not for content generated by users voluntarily and lawfully. Service providers do not control or own such data. LEAs may of course be able to procure such content data transnationally by other methods, such as requests for mutual legal assistance.

The way forward

Various questions relating to the interpretation and application of article 32 (b) merit further clarification. Given the complex legal issues at stake and the evolving technological framework, a dual approach is currently being considered, comprising:

• a T-CY guidance note as well as

• another legal instrument, possibly an additional protocol to the Budapest Convention.

This “dual” approach has obvious advantages. Standards for transborder access will be clarified avoiding cumbersome procedures of signature and ratification. The draft T-CY guidance note to be adopted in December 2014 has been developed in a multi-stakeholder process involving the private sector and civil society. Such a guidance note regarding the interpretation of a treaty constitutes an “authoritative interpretation” by the parties and is as such part of the context of the treaty for the purposes of its interpretation.

In parallel, work on an additional protocol should be pursued. Its contents could comprise additional measures, particularly covering situations where data is moving between or stored in multiple jurisdictions or where the physical location of the data is unknown, as well as more explicit safeguards and conditions to protect the rights of individuals and prevent abuse.

It is an open secret that LEAs of many states are already engaged in transborder access to data beyond the scope of the Budapest Convention, often on an uncertain legal basis, with obvious risks to the procedural and privacy rights of individuals. In the long-term, only internationally agreed standards can provide legal certainty and predictability to state conduct.

There are currently several options put forward as possible elements of a Protocol:

1. access with consent but without the limitation to data stored "in another Party";
2. access without consent but with “lawfully obtained credentials”, i.e. credentials obtained by lawful investigative activities by either the searching or the requested party;
3. access without consent but in “good faith” or “in exigent or other circumstances”;
4. making access dependent upon the “power of disposal” as opposed to territoriality.

According to the last option, it is envisaged that, even if the location of data cannot be clearly determined, it would be sufficient for data to be linked to a person having the "power of disposal" and being physically on the territory of, or a national of the searching party, for the LEAs of this party to be able to search or otherwise access the data.

For the drafting of both the guidance note and a protocol or other legal instrument, it will be necessary to respect the applicable data protection standards.

Transborder access and the right to privacy

The right to privacy and data protection is guaranteed under the International Covenant on Civil and Political Rights (ICCPR) and European Convention on Human Rights (ECHR). It has been further developed in Data Protection Convention 108.^[3]

ECHR case law

Private life in the sense of article 8 ECHR protects the privacy of communications online and offline. It covers the security and privacy of mail, telephone, email and other forms of communication. The ECtHR recognised that the mere storing of personal information interferes with the rights under article 8 ECHR.

The ECtHR has established important principles with respect to data protection:[4]

• Domestic law must afford appropriate safeguards to prevent any misuse or abuse of personal data, including vis-à-vis interferences by nonstate actors. It must also ensure that the storing and processing of data are relevant and not excessive.

• There must be adequate and effective guarantees against abuse and arbitrariness. These include accessible, clear and specific rules about the circumstances in which authorities are empowered to resort to surveillance. The rules must be prescribed by law rather than left to subsidiary regulations which often are subject to change and sometimes not even accessible.

• Any discretion of authorities collecting and processing data must be constrained by clear and specific conditions regarding procedures to follow and time limitations for the storage of personal information. Finally, there must be accountability, effective supervision and review by independent and competent authorities.

• There must be accessible and effective remedies not only to challenge the storage and use of personal data, but also to secure the destruction of the files or the erasure or rectification of unlawfully stored information kept in them.

The imperatives of national security and the prevention of crime are legitimate grounds for state interference, for example through interception of telecommunications services. Under the ECHR, states have a duty to protect the lives of their citizens. But, as the ECtHR emphasised said already in 1978 Klass v Germany, we must be aware of the risk that a system of secret surveillance may undermine or even destroy democracy under the cloak of defending it:

 “Democratic societies nowadays find themselves threatened by highly sophisticated forms of espionage and by terrorism, with the result that the State must be able, in order effectively to counter such threats, to undertake the secret surveillance of subversive elements operating within its jurisdiction. … The Court, being aware of the danger such a law poses of undermining or even destroying democracy on the ground of defending it, affirms that the Contracting States may not, in the name of the struggle against espionage and terrorism, adopt whatever measures they deem appropriate.”^[5]

Extraterritoriality of human rights standards

It is only in exceptional circumstances that the ECtHR has accepted that acts or omissions by contracting parties performed or producing effects outside their territories can come within its jurisdiction. Under the ECHR, the concepts of jurisdiction and state responsibility are not interchangeable. They are separate concepts, though the former is necessarily the pathway to establish the latter. The relevant ECHR case law, which has been developed mainly in the fields of military operations abroad, uses the notion of effective control over territory and individuals.^[6].

How to apply such a notion in cyberspace where some states have the technical capability to conduct surveillance measures outside their jurisdiction? Such activities may be carried out through the mere exercise of regulatory authority over telecommunications or Internet service providers that physically control the data, without any physical presence on the territory of another state.

Instead of the traditional physical control test, a “virtual control” test, as proposed by Prof Margulies,^[7] could provide a solution addressing the challenges of rapidly evolving technology. Electronic communications can effectively be remotely controlled. Intelligence and law enforcement agencies can eavesdrop with the ability to filter the communications received or alter their content. It should therefore be considered to what extent the use of legislative and enforcement powers to interfere with electronic systems brings data and data subjects within the “jurisdiction” of states using such powers.

Is all this too European for our globalised world?

I do not think so. The standards of article 8 ECHR are quite similar to those of article 17 ICPPR, especially as regards electronic surveillance and interception of data. The UN Human Rights Committee and the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism have taken very similar approaches. Constitutional and supreme courts all over the world have developed strict conditions for the collection and processing of personal data. The 1988 Brazilian constitution was the first to introduce the right to an effective remedy in this respect (habeas data), Uruguay the first non-European country to accede to Convention 108.

Is the situation really so different in Asia, where some pretend that the human rights discourse would be Western and irreconcilable with traditional values? In Identity and Violence, Amartya Sen argued that human rights have been articulated no less often in Asia than in Europe. Courts in that regions use increasingly the notions of necessity and proportionality, for example the Constitutional Court of the Republic of Korea when it declared the country's 'real name' policy in 2012 unconstitutional.

Privacy in the sense of the right to be left alone may not be understood in the same way by individuals living in places as diverse as Dakar, Montevideo, New York, Shanghai or Tokyo. However, in spite of widely differing cultural and legal traditions, we should be able to agree on one essential dimension of privacy, the right to the protection of personal data.

Finally, to come back to the Budapest Convention, how to square the circle and to strike a fair balance between the requirements of effective law enforcement and respect for privacy?

Extraterritorial access under the Budapest Convention and data protection

The existing data protection standards will have to be taken into account in the application of the Budapest Convention. It is interesting to note that when we advised countries around the globe on effective law enforcement measures against cybercrime, issues of data protection came up naturally.

All proposals for an additional protocol to the Budapest Convention currently on the table would facilitate transborder access by LEAs to personal data within the jurisdiction of another party. Unless accompanied by adequate safeguards, such access may go against key data protection principles such as necessity, proportionality, or purpose limitation. Parties to the Budapest Convention are bound by a variety of data protection standards, some by the ECHR and Convention 108, others moreover by EU law, many, in particular the non-European parties, only by their domestic law. In the event of alleged ECHR violations, only European states would be subject to the jurisdiction of the ECtHR, only EU member states are answerable before the Court of Justice of the European Union for breaches of EU law.

Due to the various data protection standards in force, access cannot be a priori granted by an automatic application of what one party would perceive as "good faith" or "exigent circumstances" because the interpretation and application of such concepts vary in different legal systems. Even the inclusion of additional safeguards, which will by definition be very general given the nature of a Budapest Convention as an international legal instrument, may not be sufficient.

In order to ensure a common baseline on privacy standards, it will be essential for all parties to the Budapest Convention to become also parties to Convention 108. Drafted in a simple and technologically-neutral way, Convention 108 represents an internationally agreed minimum standard setting high-level rules while leaving the details up to national implementation. In substance very similar to the OECD and UN standards, it has the advantage of being a treaty with legally binding force, thus providing legal certainty and predictability in international relations. The Convention’s fundamental standards have been the basis for the European Union’s 1995 Directive and were reaffirmed in various bilateral and multilateral agreements.

Convention 108 is already now in force for half of the world’s countries which have enacted comprehensive data protection legislation. In total, 46 states have so far ratified the Convention which has the potential to be applied worldwide. Morocco and Mauritius were the latest countries to request accession. To quote my friend Christopher Kuner, “Convention 108 remains the best treaty-based possibility for the adoption of an international data protection framework.”^[8]

Convention 108 is currently being revised. In a few weeks, experts will convene in Strasbourg to finalise the draft for a modernised convention. This modernisation process corresponds to the call for internationally agreed global standards which comes from business and civil society alike and was most forcefully expressed in the Madrid privacy declaration “Global Privacy Standards for a Global World” of 3 November 2009. Only with the active participation of countries and stakeholders from all over the world, the Convention will eventually fulfil the vision of its drafters and become a truly international standard for data protection.

Conclusions

It is an illusion to think that we can have complete privacy and total security. However, a balance can – and must – be struck. Forfeiting citizen protection in favour of secret surveillance undermines the very essence of the democratic values which we seek to defend.

In order to protect these values, we must unite all stakeholders in a transparent process. It is not just intergovernmental organisations, such as the Council of Europe, the UN, the OECD, or the European Union that can contribute, but also NGOs and the business community. L’union fait la force. Coming back to the theme of this year's international conference of data protection commissioners: “A New World Order for Data Protection: Our Dream Coming True", I am convinced that our endeavours to address cybercrime and data protection on a global scale will remain a dream unless we join forces.

I wish to leave you with a quote from Oscar Wild: “Wisdom is to have dreams that are big enough not to lose sight when we pursue them.” Let us never lose sight of that “big dream” – to strike the delicate balance between data protection and security in such a way that LEAs can operate effectively, while respecting the rights of the people who they exist to protect.

Thank you for your attention!