Privacy concerns linger around new EU data sharing Protocol
The Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence, which can include digital identity data or forensic biometrics, is due to be approved in November amid calls from human rights organizations to amend so-called intrusive new powers.
The planned Protocol, approved by the 24th plenary of the Cybercrime Convention Committee (T-CY) in May, will grant broader and more comprehensive powers to law enforcement in accessing user information in criminal cross border investigations, while seeking to establish a new international standard that will govern several aspects of policing on a global scale.
Dubbed a threat to human rights, especially those of migrant and refugee populations by several rights organizations (EFF, EDRi, CIPPIC, Derechos Digitales, Karisma Foundation and others), a set of recommendations to the COE have been put forward with hopes to amend the text before final approval in November.
Twenty recommendations range from requiring law enforcement to garner independent judicial authorization as a condition for cross border requests for user data, to prohibiting police investigative teams from bypassing privacy safeguards in secret data transfer deals.
According to the EFF, the protocol prioritizes granting law enforcement intrusive powers over adopting safeguards for privacy and human rights, reportedly with minimal input from external stakeholders and independent privacy regulators. The EFF highlights particularly Article 14 (Protection of personal data) which according to the Foundation, fails to meet modern data protection requirements and seeks to undermine emerging international standards. Without such input, law enforcement authorities would be under no regulatory jurisdiction relating to the access of personal information.
Biometric data safeguarding under Article 14 is labelled as insufficient by the EFF, which says that the proposed safeguards provide a narrower scope of protection to biometric data than required by competing laws such as the GDPR and others (of which recognize the sensitivity of biometric data in all contexts). Recommendations for amendment therefore cover establishing a minimum threshold of privacy protection.
According to the document, the Protocol acknowledges the importance of adoption of sufficient safeguards for data (under Substantive Considerations), and provides for these to complement the obligations of many of the Parties to the Convention. The document contains four chapters and preliminarily addresses the importance of gaining justice for victims of cybercrime as well as the need for increased and more efficient co-operation between States and the private sector.
The EFF argues however that the proposed safeguards are optional and therefore not adequate as the Protocol also discourages court oversight, citing that this poses a threat to the safety of those who use the internet to comment on and criticize politicians and governments. Furthermore, the EFF has advocated for the removal of Article 7 (Disclosure of subscriber information) completely, due to the fact that states would still be able to access subscriber data in cross-border contexts.
“This Protocol will facilitate more effective investigations and ensure that the rule of law reaches deeper into cyberspace than ever before,” says Deputy Secretary General of the Council of Europe Bjorn Berg, citing the Protocol’s aims in detecting crime across multiple jurisdictions. This will be conducted via more efficient ways of public-to-public cooperation according to COE.
Amnesty addresses human rights concerns in open letter to EURODAC
Amnesty International are echoing calls for human-rights focused use of biometric and personal data via an open letter to the EU’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) this month, regarding the new draft regulation for EURODAC (the EU’s asylum fingerprint database), calling the agency a powerful tool for mass surveillance.
In May, human rights groups opposed the proposed amendments to Eurodac’s biometric system including lowering age of data collection from 14 to 6.
Amnesty points to several concerns including; The processing of facial images, Taking the biometric data of children when child protection is not the purpose, and Coercion among others, calling on Members of the European Parliament to implement four recommendations in order to resolve these concerns.