Budapest Convention: Council of Europe decides to facilitate the exchange of electronic evidence

In future, investigating authorities and public prosecutors‘ offices will be able to force internet providers in a third country to hand over data on their users without a court order there. Even more far-reaching surveillance measures on „e-evidence“ are to be regulated in additional agreements.

Just in time for the 20th anniversary of the Convention on Cybercrime, the Council of Europe’s Committee of Ministers adopted a second Additional Protocol on Wednesday. Under the title „enhanced co-operation and disclosure of electronic evidence“, the signatory governments want to commit themselves to the mutual release of data on servers in their territory. The treaty is to be published for signature in May 2022.

The Council of Europe brings together 47 states, including all Schengen members, as well as countries such as Russia, Ukraine, Turkey and the candidates for accession to the European Union. The Additional Protocol to the Cyber Crime Convention („Budapest Convention“), adopted in 2001 in Budapest, is currently signed by 19 other governments, including the United States, Australia, Canada, Japan, Israel and Chile. At least ten countries have been invited to join.

In „emergencies“ also orders on content data

The „Budapest Convention“ is intended to speed up the usual procedures for bilateral mutual legal assistance in which courts decide on a request for „e-evidence“. With the new legal basis, prosecutors can request personal inventory and traffic data as well as information on users from internet providers in the partner countries. This also includes information on the registration of domain names.

In „emergencies“, the disclosure of electronic evidence should also include content data. This may be a situation „where there is a significant and imminent risk to the life or safety of any natural person“. As examples, the treaty text mentions hostage-taking, the ongoing sexual abuse of a child or scenarios following a terrorist attack. Even in a non-urgent case, participating states may request content data, but they must use other (such as bilateral) mutual legal assistance procedures.

The second Additional Protocol also regulates the establishment of joint investigation teams in which prosecutors and public prosecutors‘ offices of individual countries can join forces. Cooperation can then take place via videoconferencing.

Great interest in expansion

Originally, the new Additional Protocol was also supposed to allow special investigative techniques. The European Commission, which took part in the negotiations on behalf of the EU member states, had proposed an „extension of searches“. This refers to cases in which authorities can access accounts of those concerned after confiscating a device or by secretly obtaining login data, even if these are located with providers abroad.

The United States government had also called for blanket permission for „covert investigations by means of a computer system“ on servers in third countries, in which police use false identities to travel on the internet and participate in chats with suspects. According to the convention, these techniques are „of high interest to the Parties“, but the negotiations needed for this would have exceeded the time frame for drafting the protocol. The issues are therefore not off the table, but will instead be pursued „in a different format and possibly in a separate legal instrument“.

Negotiations on EU-US agreement on hold

The European Union wants to adopt a regulation on „Production and Preservation Orders for electronic evidence in criminal matters“, but the trilogue negotiations with the Parliament have stalled. MEPs demand that the competent authorities of a country must be informed if data on their territory is affected by an order for disclosure by another state.

Because many of the large internet service providers are based in the United States, the EU Commission is to work out an additional EU-US agreement with the government in Washington. Under the „CLOUD Act“, US authorities could oblige companies in Europe to hand over their users‘ data. These talks are also on hold, and a resumption is currently being prepared within the framework of high-level EU-US meetings. Two years ago, the United States concluded a bilateral agreement on the exchange of „e-evidence“ with the United Kingdom, which, however, could not come into force due to various problems. Negotiations are also underway with Australia and other unnamed third countries.

Finally, in January, negotiations for a global mutual legal assistance agreement to combat cybercrime are to begin at the United Nations level. This was requested by the government in Moscow against the votes of the EU governments and the USA. The EU Commission also wants to participate in this on behalf of all 27 member states, but a corresponding Council decision is needed first.

Image: In a promotional video for the new additional protocol, the Council of Europe depicts a raid by special units on „cyber criminals“ (Council of Europe).

Autor: Matthias Monroy

Knowledge worker, activist, editor of the German civil rights journal Bürgerrechte & Polizei/CILIP.