Germany Signs Second Additional Protocol to the Cybercrime Convention
This week, the Federal Republic of Germany signed the Second Additional Protocol to the Cybercrime Convention. The Council of Europe’s Cybercrime Convention (entered into force on July 1, 2004) is the first agreement under international law to combat cybercrime and serves to combat data network crime effectively and to promote rapid and enhanced international cooperation in criminal matters. The efficiency of prosecution of cybercrime is to be increased by means of appropriate legislation in the signatory states. The agreement contains regulations on international cooperation between the signatory states, specifications for specific criminal offenses (including computer fraud, attacks on network security, child pornography) and specifications on procedural law.
The “Second Additional Protocol to the Cybercrime Convention on Enhanced Cooperation and Disclosure of Electronic Evidence” supplements the Cybercrime Convention and takes into account the fact that evidence in cybercrime cases is increasingly located on foreign servers. The signatory states undertake to mutually hand over data on servers in their territory. The basic aim is to enable the signatory states to gain direct access to data relevant to criminal proceedings from service providers abroad. The Additional Protocol provides for specific areas in which direct access to data at a service provider abroad is to be made possible. Of particular relevance are the provisions on access to inventory, usage and traffic data. According to the legal definition in Section 2 (2) No. 2 TTDSG (German Telecommunications and Telemedia Data Protection Act), inventory data is personal data the processing of which is required for the purpose of establishing, structuring the content of, or amending a contractual relationship between the telemedia provider and the user concerning the use of telemedia. Pursuant to Section 2 (2) No. 3, usage data is the personal data of a user of telemedia the processing of which is necessary to enable, and invoice for, the use of telemedia; this includes, in particular, a) features for identifying the user, b) information on the beginning and end as well as the scope of the respective use, and c) information on the telemedia used by the user. According to § 3 No. 70 TKG (German Telecommunication Act), traffic data is data whose collection, processing or use is necessary for the provision of a telecommunications service. Content data is data relating to the content of a communication.
Article 6 of the Second Additional Protocol regulates simplified access to data from domain name registration services. According to Art. 6 of the Second Additional Protocol, foreign authorities are to be able to request information and data relevant to a criminal prosecution directly from the domain name registration services. Consequently, the foreign authorities do not have to request the data first from the investigating authorities of the other state and can evaluate the relevant information more quickly.
Article 7 of the Second Additional Protocol allows foreign investigating authorities to directly request stored inventory data at service providers. According to Article 18 (3) of the Cybercrime Convention, inventory data within the meaning of Article 7 is all information in the form of computer data or other data held by a service provider on subscribers to its services, with the exception of traffic data or content-related data. Through this computer data, the identity of the subscriber, his postal and home address, telephone or other access number, as well as details of billing and payment, which are available on the basis of the contract in relation to the service, can be determined.
Art. 8 of the Additional Protocol also provides for a simplified and expedited procedure for retrieving traffic data from data service providers abroad. “Traffic data” according to Art. 1 lit. c of the Cybercrime Convention are all computer data in connection with a communication using a computer system, which were generated by a computer system that was part of a communication chain. However, when requesting traffic data, the investigating authority cannot contact the foreign data service provider directly but must first request the foreign authority. According to Art. 8 of the Additional Protocol, data information should be possible in electronic form and processing should take place within fixed processing and transmission deadlines.
Art. 9 and 10 of the Second Additional Protocol prescribe two accelerated emergency procedures. According to Art. 9, in case of emergency, the access to inventory, traffic and content data shall be accelerated and facilitated. The investigating authority can request data on its territory through a 24/7 contact point and gain access to the investigative data in an emergency without a lengthy mutual legal assistance procedure. Art. 10 also provides for a “rapidly expedited” procedure, which is intended to enable the direct transfer of data to the investigating authority in an emergency.
The Second Additional Protocol also contains certain data and legal protection mechanisms due to the sensitive nature of electronic data. Art. 13 provides that the establishment and implementation of the data transfer procedures provided for by the Second Additional Protocol shall comply with the legal safeguards provided for in the respective national law. Also, human rights and freedoms must be adequately taken into account in the implementation of the provisions. Article 14 contains provisions on data protection, unless the contracting parties have already concluded individual data protection agreements on electronic data transmission in criminal proceedings. Accordingly, authorities must take appropriate data protection precautions when transmitting sensitive electronic data (e.g., biometric data or political opinions). Furthermore, the processing and evaluation of data is limited only to the purposes agreed upon in the Second Additional Protocol.
At the national level, access to inventory and usage data at data service providers is permitted under Sections 22, 24 TTDSG. Pursuant to Section 22 of the TTDSG, anyone who provides Telemedia services on a business basis, participates in such services or provides access for use thereof, may use inventory data to the bodies specified in the provision in order to fulfill obligations to provide information. Requests for information must be made in writing or electronically. Pursuant to Section 22 (3) No. 1 TTDSG, information on inventory data may be provided to the authorities responsible for the prosecution of criminal and administrative offenses if there are sufficient factual indications of a criminal offense or administrative offense that is punishable by a fine of a maximum of more than fifteen thousand Euros against a natural person and the data to be included in the information is necessary to investigate the facts of the case, to determine the whereabouts of an accused or affected person or to enforce a penalty. Pursuant to Article 24 (1) TTDSG, anyone who provides telemedia services on a business basis, or who cooperates in providing or arranging access to such services, may use the usage data in accordance with this provision to fulfill information obligations vis-à-vis the bodies mentioned in (3). Pursuant to Article 24 (3) No. 1 TTDSG, telemedia services may also provide information on usage data to law enforcement authorities if there are sufficient factual indications of a criminal offense and the data to be collected is necessary to investigate the facts of the case or to determine the whereabouts of an accused person in the case of telemedia services.
In terms of criminal procedure, the requirements for actual access to data by law enforcement agencies are very high. Pursuant to Section 100a (1) sentence 2, (4) StPO (German Code of Criminal Procedure), anyone who provides telecommunications services or cooperates in such services must allow the court, the public prosecutor’s office and their investigators working in the police service to access content data from telecommunications surveillance and provide the necessary information without delay. However, in accordance with Section 100a (1) StPO, there must be suspicion of a serious offense as defined in Section 100a (2) StPO, the offense must be serious in the individual case, and the investigation of the facts must be significantly impeded or futile in some other way.
Section 100g StPO sets similarly high requirements for the collection of traffic data. In particular, if there is suspicion of a criminal offense specified in Section 100a (2) stop and the collection of data pursuant to Section 100g StPO is proportionate to the matter at hand, data may be collected by the law enforcement authorities. The law enforcement authorities may also request information on inventory data pursuant to Section 100j StPO for the purpose of investigating the facts of the case or determining the whereabouts of an accused person. Such a request for information is subject to the requirements of Section 100j (1) StPO and, pursuant to (3), may only be ordered by the court at the request of the public prosecutor’s office.
Furthermore, Section 100g (1) StPO provides that if certain facts give rise to the suspicion that someone has committed a criminal offense, also of considerable importance in individual cases, as a perpetrator or participant, in particular an offense described in Section 100a (2) StPO, usage data may be collected from those who provide their own or third-party telemedia for use on a business basis or provide access to use, insofar as this is necessary for investigating the facts of the case and the collection of the data is in reasonable proportion to the importance of the matter. The collection of usage data must therefore also be based on a serious criminal offense and a discretionary assessment must be made in each individual case.
The procedural provisions provided for by the Second Additional Protocol will now have to be implemented in national legislation with regard to international cooperation with foreign authorities. It is to be hoped that implementation will continue to guarantee the high threshold for intervention and the legal protection enshrined in the Code of Criminal Procedure and that the data protection provisions will not be watered down by the requirements of European law. The precautions under data protection law and the high standard of protection as set out in Section 100a et seq. StPO must not be undermined.