Data Protection in International Investigations – An Analysis of the Laws Most Affecting Investigative Bodies, Their Compliance, and Suggestions for Best Practices Moving Forward

An Analysis of the Laws Most Affecting Investigative Bodies, Their Compliance, and Suggestions for Best Practices Moving Forward

Kaitlyn Karpenko

Columbia Law School/Amsterdam Law School Joint Degree Candidate May 2019

Master’s Thesis

Profs. Lori Damrosch and Jill Coster van Voorhout May 8, 2019

Table of Contents

I. Introduction...3

II. Data Protection Regimes...5

1. Human Rights Constructions...5

2. Specific Data Handling Constructions of the EU...8

3. Specific Country Constructions Regarding Data Privacy and Law Enforcement...11

A. Within the EU...12

B. Outside of the EU...13

III. International Law Enforcement and the Rising Use of Data...16

IV. A Review of Internal Policies for Data Privacy Compliance...19

1. Methodology and Standard...19

2. Examples of European-based International Investigative Bodies...20

3. The Investigatory Judges of the ECCC...25

V. International Law Enforcement Best Practices and Changes...26

VI. Conclusion...27

Abbreviation Quick Reference

Privacy actors and regulations often have long and confusing names. In order to reduce confusion and save space, the following abbreviations have been employed. These abbreviations are also introduced in the text of the paper.

2016/680 – Directive 2016/680 on the protection of natural persons with regard to the processing

of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, 2016 O.J. (L119), 89.

DPA – The Data Protection Act 2018, c. 12, (Gr. Brit).

GDPR – Regulation 2016/679 on the protection of natural persons with regard to the processing

of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L119), 1.

LGPD – Lei 13.709, de 14 de Agosto de 2018, Lei Geral de Proteçao de Dados (Braz.). OTP – Office of the Prosecutor of the International Criminal Court

PIPA – [Personal Information Privacy Act], Act. No. 10465 Mar. 29, 2011 amended by Act No.

14107, Mar. 29, 2016 (S. Kor.), translated in Ministry of the Interior and Safety https://www.privacy.go.kr/eng/laws_view.do?nttId=8186&imgNo=1.

I.

Introduction

International investigations pose a unique risk to data privacy regimes. While Europe in particular, and increasingly other parts of the world, are attempting to protect data and increase rights to data for users and creators, crossing national borders is an inevitability. Remote data storage and increased use of cloud systems mean that data is not only sourced from outside an investigation’s home borders, but may actually reside there as well. In one particularly media-friendly case, American rules of civil procedure were changed to accommodate this

unprecedented ease with which data crosses boundaries.1 _{This issue is not new; rules for}

handling the jurisdiction of foreign-held objects and people have existed since the inception of transnational and international law, but the exponential, explosive amount of information travelling around the world at any minute puts strain on traditional models of analysis.2 _{Add in}

experimental, sweeping, yet fragmented privacy laws, and chaos reigns. It will probably take many years for data privacy laws to settle on definition and interpretation in even a local context, however the shaping of these laws will be particularly important. Bodies which have

traditionally handled evidence and information which crosses cultural and regional boundaries have to take notice and be involved in the creation process. International law tends to move slowly, but international legal institutions, including courts and prosecutors’ offices, have to pick up the pace if they hope to stay effective in the modern era. Adopting best practices now, and attempting to follow general provisions of privacy will allow better ease of access and

modification in the future.

This paper takes a broad approach. It begins with general constructions of privacy laws, more narrow laws from around the world tailored to privacy, and then looks at the data use policies of a sampling of international investigative bodies. This includes data which may fall

1

United States v. Microsoft Corp., 584 U.S. ___ (2018) (Vacating as moot an earlier ruling by the Second Circuit following the passage of the CLOUD act; the original ruling by the circuit found that data which had been subpoenaed by the Southern District of New York was stored on server(s) in Ireland, therefore execution of a search would be a violation of extraterritoriality). See also Louise Matsakis, Microsoft’s Supreme Court Case Has Big

Implications for Data, WIRED, Feb. 27 2018,

https://www.wired.com/story/us-vs-microsoft-supreme-court-case-data/.

2

America typically allows access to data simply after ‘notice,’ under FED.R.CIV.P. 4(f). Sources have cited international legal authority, such as the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters, opened for signature March 18, 1970, 23 U.S.T. 2555, as a model for proper service compliance but allows methods where “there is no internationally agreed means, or if an international agreement allows but does not specify other means, by a method that is reasonably calculated to give notice.” There is significant debate about extra jurisdictional service, which is far outside the scope of this paper.

under law enforcement exceptions, as well as data which is stored and used by the organizations that may fall under other protection regimes. While the EU is uniquely situated to handle issues of cross-border investigations due to the structure of the European Union, at least within the EU member countries, these data rights implicate issues far outside of European borders.

Thus, this paper will proceed in four parts. First, there will be an overview of the data privacy regimes implicating international investigations. This includes Article 8 of the European Convention on Human Rights, selected sections of the General Data Protection Regulation (GDPR), and Directive 2016/680. It will also go over a selection of individual countries’ data privacy laws or regimes with particular focus on the way each outlines law enforcement exceptions.

Second, this paper will explore the reasons which these regimes matter in international investigations. This includes an exploration of the rights that are implicated, who gets those data protection rights, and theories behind these constructions.

Third, this paper will examine how the policies of selected international investigatory bodies comply, or fail to comply, with data protection regulations. This include the Office of the Prosecutor for the International Criminal Court, Europol, Interpol, and the Investigative arm of the Extraordinary Chambers in the Courts of Cambodia.

Finally, this paper will conclude with some broad suggestions which address various concerns of prior research, including how best to balance privacy using law enforcement

exceptions while still allowing law enforcement and investigative bodies the space and ability to conduct their own analysis and investigation. In particular, this paper will take a preemptive position against unified data privacy regimes, due to the highly fractured and local view of these rights, and instead encourage individual prosecutors to comply with the strictest possible data regimes they operate under across countries for all data they handle. If contradiction is found to exist, the strictest standard should be applied. Not only does this have the potential to streamline data handling, but will increase accountability and trust in these bodies.

While this paper does not espouse a strict textualist viewpoint in interpretation, it shall nevertheless begin with the texts of the operative instruments. Those instruments encompass broad human rights declarations which either cover or have subsequently been interpreted to cover, data, as well as legal authority directly targeted and exclusive to data handling.

1. Human Rights Constructions

The broadest rights to privacy, and those that cover data in the simplest sense, are embodied in human rights documents. First, Article 8 of the European Convention on Human Rights, the right to respect for private and family life:

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.3

Throughout its history this provision has ensured an overarching and wide reaching privacy right for EU citizens. Historically this has covered data, and the police exceptions embedded into the provision have been carefully scrutinized by the European Court of Human Rights. Generally, a reasonable expectation of privacy is required in order to trigger Article 8 rights, though this is not dispositive in and of itself to waive one’s rights.4 _{Even for some public}

activity, surveillance and monitoring by police will trigger Article 8 rights.5 _{The Court issued}

guidance regarding the use of data in law enforcement settings:

The indiscriminate and open-ended collection of criminal record data is unlikely to comply with the requirements of Article 8 in the absence of clear and detailed statutory regulations clarifying the safeguards applicable and setting out the rules governing, inter alia, the circumstances in which data can be collected, the duration of their storage, the use to which they can be put and the circumstances in which they may be destroyed.6

3

EUR. CONV. ON H.R. Art. 8

4

Benedik v. Slovenia, Eur. Ct. H.R. § 101 (2018) (finding that dynamic IP addresses, while generally accessible and available to the public, were protected from police surveillance without a court order by Article 8).

5

P.G. and J.H. v. the U.K., Eur. Ct. H.R. § 57 (2001) (monitoring and surveillance without a court order violated Article 8, even though the individual was only engaging in public activity).

The presence of these guidelines will be discussed in the next subsection.

The analogous provision to Article 8 in America, though considerably weaker both in language and subsequent interpretation, is the Fourth Amendment to the United States Constitution:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.7

Fourth Amendment jurisprudence is, to put it colloquially, messy, but the short version is that individuals’ digital data are ‘effects,’ and therefore require a warrant or probable cause to be searched and seized by police. Unlike Article 8, which is framed as a universal right with exceptions for legitimate, law enforcement purpose, the Fourth Amendment is framed more as a right against the police, and only the police. Individuals not operating under the color of law cannot commit Fourth Amendment violations. There are numerous exceptions to the Fourth Amendment as well, the most applicable is the third party doctrine,8 _{which allows police to}

search data handled by third parties without the strict evidentiary requirement of a warrant. Because most people use services such as Google or iCloud to back up their personal data, or communicate and share using platforms like Facebook, for some time almost all digital, internet transmitted data was seen as falling under this exception.9 _{Congress has acted in part to make}

cloud storage providers explicitly subject to certain evidentiary standards,10 _{and the Supreme}

EUR. CT. H.R., HUMAN RIGHTS GUIDEON ART. 8 OFTHE EUROPEAN CONVENTIONON HUMAN RIGHTS, 35 (2018) https://www.echr.coe.int/documents/guide_art_8_eng.pdf Citing M.M. v. U.K., EUR. CT. H.R § 199 (2012).

7

U.S. CONST. amend. IV.

8

Smith v. Maryland, 442 U.S. 735, 743-44 (1979) (“a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties”).

9

See, e.g., the works of Orin Kerr and Richard Epstein for an overview and critique of this doctrine, particularly Richard A. Epstein, Privacy and the Third Hand: Lessons from the Common Law of Reasonable Expectations, 24 BERKELEY TECH. L. J. 1199 (2009); Orin Kerr and Greg Nojeim, The Data Question: Should the Third-Party

Records Doctrine Be Revisited?, ABA JOURNAL (Aug. 1, 2012), available at http://www.abajournal.com/

magazine/article/the_data_question_should_the_third-party_records_doctrine_be_revisited/.

10

The Stored Communications Act. 18 U.S.C. Chapter 121 §§ 2701–2712 (1986); The Clarifying Lawful Overseas Use of Data Act (CLOUD) Act, 18 U.S.C. 2523 (2018)

Court has also interpreted cell site location information specifically as subject to Fourth Amendment protection, despite being held and created by a third party service provider.11

This will not be a paper about American jurisprudence, in fact America’s involvement in international investigations is woefully insufficient, perhaps due in part to America’s

unwillingness to be subject to international law, as well as a fear of prosecution of its own potential crimes.12 _{However, this serves as an important anchor and backdrop for how different}

regions view the protection of data, and how those views change over time. The speed of law is almost always slower than change, but even large corporations which would be heavily regulated under stricter privacy law regimes have called on America to speed up its act.13

Between just these two constructions of privacy under the law, there is already tension. Europe does not subscribe to a blanket third party exception for data as America does, for example, and the search warrant requirements are heavily decreased for digital data in America, where they are not under Article 8 jurisprudence. America tends to approach the rule as a rule against police intrusion, carving out wide exceptions that in themselves have their own

exceptions. Europe looks at it from a fundamental right to privacy which is individual and essential. Professor Bart can der Sloot identifies eloquently the difference as one of privacy (the American construction) and personality (the European construction), sometimes called

Persönlichkeitsrecht.14 _{These philosophies are not necessarily contradictory but they do require}

careful thought and condition when crafting policies that may have to comply with both.

11

United States v. Carpenter, No. 16-402, 585 U.S. ____ (2018).

12

See e.g. US to Deny Visas for ICC Members Investigating Alleged War Crimes, GUARDIAN, Mar. 15, 2019,

https://www.theguardian.com/us-news/2019/mar/15/mike-pompeo-us-war-crimes-investigation-international-criminal-court; Though America has had a heavy hand in international criminal justice in the past, particularly following World War II see American Bar Association, The US-ICC Relationship, THE ABA-ICC PROJECT, 2019,

https://www.aba-icc.org/about-the-icc/the-us-icc-relationship/.

13

Dan Simmons, Apple CEO Tim Cook Calls for Federal Privacy Law in the US, COMFORTE, Oct. 26, 2018,

https://insights.comforte.com/apple-ceo-tim-cook-calls-for-federal-privacy-laws-in-the-us. Though this could also be a situation where Apple believes it may be able to choke out the competition by imposing regulation is knows it would be able to meet but smaller companies would struggle to implement the needed levels of security and enforcement.

14

Bart van der Sloot, Privacy as the Personality Right: Why the ECtHR’s Focus on Ulterior Interests Might

Prove Indispensable in the Age of “Big Data,” 30 Utrecht J. of Int. and Eur. L. 25, 25-27

2. Specific Data Handling Constructions of the EU

There are numerous data privacy constructions which exist around the world. These vary in applicability, enforcement, and scope. The EU has the most far reaching and extensive data privacy regimes in place,15 _{the General Data Protection Regulation, (herein “the GDPR”)}16 _in

particular which other countries have attempted to follow. Beginning with the EU, it is

important to differentiate between two types of legal documents which have effect on member states. The first are Regulations, which have direct effect on member states, and the second are Directives, which direct member states to implement legal frameworks. The difference is important, because several countries which are not EU member states, notably Iceland, Norway, and Lichtenstein, are still bound by regulations as part of the European Economic Area, but not generally by directives. These specific countries are not large players in international

investigatory legal circles, and so are not explored in this paper, however it highlights that even within the EU’s framework, gaps exist practically by design.

Article 16 of the Treaty on the Functioning of the European Union establishes that “everyone has the right to the protection of personal data concerning them.”17 _{This led to some of the}

earliest data protection directives and frameworks in Europe, and laid the foundation for many of the laws in this section. Because the enforcement of this has largely been left up to these specific directives and frameworks, Article 16 will not be discussed at length.

The legal authority with the largest reaching effect on the international data handling stage, the GDPR, replaced a previous, outdated, and less extensive data protection directive and incorporated and expanded the provisions originally found within. The basic tenants of the GDPR involve the following concepts: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality (security), and

15

As discussed below in Section II.3(B), the EU was not the first to implement user-focused data privacy laws, however due to the sheer volume of business involving EU citizens, it is by far the most broadly applicable, and the one most known to effect American business.

16

Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L119), 1.

17

accountability.18 _{These in turn have their own provisions which have become part of the public}

consciousness, including the creation of data protection officers and the ‘right to be forgotten.’19

Not all of these necessarily apply to all organizations, and GDPR compliance expectations do vary depending on size and type of organization.

The deadline for compliance with the GDPR was May 25, 2018.20 _{Companies have generally}

struggled with the compliance timeline, and data security companies, which serve to benefit from low compliance rates in order to sell compliance services to other businesses, report

non-compliance as high as seventy percent among those businesses surveyed.21 _{Some academic}

empirical analysis of specific country law has been attempted, but due to the relatively recent applicability date of the regulation, such data is difficult to analyze and collect.22

The GDPR created international controversy when it was enacted, as the EU would force all data handlers, even those outside of the European Union, to comply with EU law if it touched EU citizens.23 _{This novel view of the flow of data was not popular among either countries which}

operate internationally and countries outside of the EU, as it seemed to put an unreasonable restriction on the rights of their citizens. For the purposes of law enforcement, the GDPR contains the following provision, at Art. 2 section 2(d):

This Regulation does not apply to the processing of personal data . . . by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.24

18

Information Commissioner’s Office, The Principles – At a Glance, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/ (last visited May 8, 2019).

19

See GDPR Chap. 3 generally for a full list of the enumerated individual rights.

20

GDPR Art. 99.

21

Notably, only 35 percent of European companies — which are those most affected by the GDPR – were able to comply with requests, versus 50 percent of those outside the EU. The Majority of Businesses Surveyed are Failing

to Comply with GDPR, according to New Talend Research, TALEND, Sept. 13, 2018,

https://www.talend.com/about-us/press-releases/the-majority-of-businesses-are-failing-to-comply-with-gdpr-according-to-new-talend-research/.

22

Bart Custers et al., A Comparison of Data Protection Legislation and Policies Across the EU, 34 Comput. L. & Sec. R. 234 (2018) https://www.sciencedirect.com/science/article/pii/S0267364917302856.

23

See generally GDPR Art. 3.

24

Note that competent authorities are still subject to the GDPR, but not during the express purposes of criminal investigations and related activities.

The EU parliament passed a Directive simultaneously with the GDPR which handled the processing of law enforcement data in the course of investigations etc. of criminal offenses, Directive (EU) 2016/680 (herein “2016/680”)25 _{which, like the GDPR, also replaced another}

legal document, the Council Framework Decision 2008/977/JHA. This new Directive sets the most widespread guidelines for implementing comprehensive data protection regulations among law enforcement and criminal investigative agencies. It applies to the ‘competent authorities’ excluded from the GDPR, which “may include not only public authorities such as the judicial authorities, the police or other law-enforcement authorities but also any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of this Directive.”26 _{Again, this is only in the processing of data throughout the investigation etc.}

process. Data held for other purposes by a competent authority is still subject to the provisions of the GDPR. Article 9.1 clarifies that “[w]here personal data are processed for such other purposes, [the GDPR] shall apply unless the processing is carried out in an activity which falls outside the scope of Union law.” Even data that was once used in the permissible scope of 2016/680 must then be compliant with GDPR regulations once it is used for purposes outside of the scope of 2016/680, including “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”27 _{This means that general crime prevention,}

statistical analysis of prosecutor activity, or other purposes not related to specific crimes subjects such data to the GDPR. There are hypothetical examples where a seemingly far-reaching data analysis could remain under 2016/680, for example if the investigation is for a far-reaching or highly dispersed crime among a large population. These purposes might potentially be more prevalent in international investigations, but individual justification for the use of such data is ideally prepared or kept in mind when conducting such large-scale investigations. However, data handlers must also be aware that the automated processing of criminal data which produces an “adverse legal effect” is prohibited by Article 11 of 2016/680.

25 2016/680 . 26 2016/680 at para. 11. 27 2016/680 Art. 9.2.

Directive 2016/680 is also applied to processors and controllers of data used for permissible purposes, and the burden is on the competent authorities to ensure that the entities they work with comply with all regulations. The authorities themselves may be controllers or processors without the need to rely on external sources and entities.28 _{Directive 2016/680 also defines and}

regulates the handling of data by ‘third countries’ (presumably non-EU countries), and

‘international organizations.’29 _{Of note, the transfer of data to either requires an adequate level}

of protection, which the Court of Justice of the European Union arguably defined, prior to the passage of the GDPR and 2016/680. “. . [A]ny form of processing of personal data is covered by Article 8 of the Charter and constitutes an interference with the right to the protection of such data. [Subsequent access by a non-authorized party] constitutes an interference with the

fundamental right to protection of personal data guaranteed in Article 8 of the Charter, since such access constitutes a processing of that data.”30 _{It seems that all third party access is subject to}

Article 8 and EU oversight.

Directive 2016/680 applies to all cross and intra border data held and used by competent authorities in the pursuit of criminal investigations of other proceedings. This is an expansion form the previous framework, which only applied to cross border criminal investigations, and a change that prosecutors should be aware of when amending their policies in order to remain compliant.

In addition to all of the safeguards data handlers are required to comply with, they must also fashion a report which details how those goals are met and how they have integrated the

requirements into their existing data regime. This is the ‘privacy by design’ portion of the GDPR and related directives and should also be considered when crafting and implementing policy changes.31 _{Individuals whose data is mishandled could potentially be entitled to monetary}

damages and compensation.32

28

2016/680 Art. 3(7-9).

29

Defined by 2016/680 Art. 1 (16) “as an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.”

30

Advocate General's Opinion on Case C-362/14 (Maximillian Schrems v Data Prot. Comm’r), 2015 I.C.J. ¶170 (Sept 23, 2015).

31

2016/680 Art. 20.

3. Specific Country Constructions Regarding Data Privacy and Law Enforcement

As a Directive, 2016/680 must be implemented by the member states of the EU in the language and tradition of local law. Outside of the EU, several other countries have implemented their own data protection laws which either have explicit law enforcement

exceptions or, similar to 2016/680, lay out extensive frameworks. Over 120 countries have data privacy laws which could affect law enforcement,33 _{however the below examples give an}

overview of the types of data protection regimes that exists as well as give an overview of the variety of approaches different cultures and countries have chosen to adopt.

A. Within the EU

All countries within the EU are required to enact laws for portions of the GDPR which have not been explicitly laid out in the regulation, as well as create laws which comport with

2016/680. The deadline for member states to incorporate the directive into national law was May 8, 2018.34

It is impossible to go into each at length, so instead this paper will focus in on the Data Protection Act35 _{formulated by the United Kingdom, which provides an excellent example of the}

way the regulation and directive have been incorporated into local law. This can provide a model across Europe, as one study found “[d]ifferences in the implementation of the data

protection directive into national legislation are very small in the countries investigated: although EU member states are allowed to implement more provisions than those mentioned in the EU data protection directive, only a few countries implemented such additional provisions for further

2016/680 Art. 56.

33

Spencer Kimball, The Future of Data Protection Law, COCKROACH LABS, Feb. 26, 2019, https://www.cockroachlabs.com/blog/data-protection-law/.

34

European Council, Data Protection in Law Enforcement, Mar. 27, 2019,

https://www.consilium.europa.eu/en/policies/data-protection-reform/data-protection-law-enforcement/.

35

The UK Data Protection act was formulated and implemented with GDPR and 2016/680 data compliance in mind, notwithstanding any current or future separation from the EU which may or may not occur. Because it was incorporated using local tradition it would be unlikely to be significantly altered even if the UK withdraw from the European Union.

protection.”36 _{The UK is one who has not significantly expanded beyond the requirements of the}

directive.

The Data Protection Act (herein “DPA”)37 _{enumerates actors subject to 2016/680}

requirements, including “public authorities,” a phrase defined in the Freedom of Information law of 2000 and includes most local and regional governments, law enforcement, and departments.38

In the tradition of UK law, it relies on other earlier legislation for definitions, power, and enumeration. To assist with a layman’s understanding, the UK government has released a law enforcement guide to the provisions.39 _{The GDPR has seven key principles, while the British}

law enforcement act only contains six: fairness and lawfulness, specificity, relevance, accuracy, retention limitation, and security. Substantially similar, however missing an explicit

commitment to accountability.40 _{This does not make the act non-compliant, as these principles}

are guides and do not speak to the accountability measures which are present in the act. Namely, it does contain reporting provisions, including relevant documentation of processing compliance, the appointment of a Data Protection Officer, and privacy by design provisions.41 _{These are all}

integrated into local law for better ease of legal authority as well as increased accessibility to both lawyers and lawmakers seeking to practice and govern using the history of the local state.

These provisions, while modelled on 2016/680, largely mirror the GDPR; this is unsurprising as 2016/680 was meant to implement the GDPR for law enforcement, but allow local law to take care of the specifics as law enforcement in particular is a highly nationalistic enterprise.

Next, a look at the data protection regimes implemented by other countries outside of the EU which provide different levels of protection.

A. Outside of the EU

36

Custers et al., supra note 22 at 243.

37

The Data Protection Act 2018, c. 12, (Gr. Brit).

38

Id. Art. 7.

39

Gov.UK, Data Protection Act: Law Enforcement Processing, May 25, 2018.

https://www.gov.uk/government/publications/data-protection-act-law-enforcement-processing.

40

Information Commissioner’s Office, The Principles – At a Glance, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/ (last visited May 8, 2019).

41

South Korea's Personal Information Protection Act (Herein “PIPA”) has been effective since September of 2011, several years prior to the GDPR. Many of the provisions are similar,

including provisions requiring consent, limiting the scope of data collected, limiting and requiring justification for data retention periods, as well as a requirement of a Chief Privacy Officer, which is functionally similar to the appointment of a Data Protection officer under the GDPR.42 _{Unlike the GDPR, however, it contains a provision which explicitly does not apply}

“[w]here it is necessary for the investigation of crimes, indictment and prosecution.”43 _This

exception is extremely broad, and no analogous law which allowed for more regulation of law enforcement in taking advantage of this exception could be found.44

Lei Geral de Proteçao de Dados Pessoais (herein “LGPD”) in Brazil was modelled after the GDPR. The LGPD was passed into law in August of 2018, and contained many of the same provisions as PIPA and the GDPR.45 _{While these include a data protection officer position and}

limitations of data use, it contains, much like PIPA, a rather expansive law enforcement

exemption covering “crime investigation and punishment activities.”46 _{Deadline for compliance}

is in February 2020, so it is yet to be seen how expansive this exception will become, and it is likely that local and regional laws within the country could fill the gap.

The Australia Privacy Act of 1988 and Information Privacy Act of 2009 both govern data use by Australian companies, and outline a much less permissive set of exceptions than PIPA or the LGPD.47

42

Alex Wall, GDPR Matchup: South Korea’s Personal Information Protection Act, I.A.P.P., Jan. 8, 2018, https://iapp.org/news/a/gdpr-matchup-south-koreas-personal-information-protection-act/.

43

[Personal Information Privacy Act], Act. No. 10465 Mar. 29, 2011 amended by Act No. 14107, Art. 18, Mar. 29, 2016 (S. Kor.), translated in the Ministry of the Interior and Safety Database

https://www.privacy.go.kr/eng/laws_view.do?nttId=8186&imgNo=1.Art. 18 .

44

Though the author admits that she lacks in any working knowledge of the Korean language, which likely hindered the search.

45

Lei 13.709, de 14 de Agosto de 2018, Lei Geral de Proteçao de Dados (Braz.) available at:

http://dataprivacy.com.br/protecao_de_dados_pessoais.docx (this URL may prompt a download of the document in Portuguese).

46

Id. Art. 4.III.(d) (unofficial translation)

47

Office of the Information Commissioner, Privacy and Law enforcement agencies, QUEENSLAND OFFICIAL

WEBSITE, June 5, 2017,

Under section 29, the privacy principles with which a law enforcement agency does not have to comply are:

 IPP 2: provide a collection notice

 IPP 3: only collect relevant, complete and up to date personal information, and do not intrude unreasonably on an individual's personal affairs

 IPP 9: only use relevant personal information

 IPP 10: only use personal information for the purpose for which it was collected, unless an exception applies

 IPP 11: do not disclose personal information to anyone but the individual it is about, unless an exception applies.48

Much like the European scheme, Australian entities still have to comply with other provisions of the act for data which does not fit law enforcement criteria.

Japan also passed the Act on Protection of Personal Information (APPI) as well as an associated Act on the Protection of Personal Information Held by Administrative Organs.49

These laws also mimic the GDPR, though have a broader scope, as they do not theoretically have a territorial limit, with less stringent penalties, as there are no court remedies, though Japan does require a privacy authority to oversee compliance which presumably acts similarly to the data protection officer. The laws differentiate between personal data and sensitive data, thereby having rough content-type determinations which would affect privacy level expectations.50 _The

law governing administrative organs contains explicit exemptions for criminal law enforcement provisions, for example in the creation and reporting of personal profiles on individuals. Law enforcement have a very broad exemption for data “prepared or obtained for criminal

investigation, investigation of tax crimes based on the provisions of laws related to tax, or institution or maintenance of prosecution.”51 _{This appears to cover any entity who, through}

legitimate authority, conducts investigations, and not necessarily just law enforcement.

Also, while not a country, the state of California has enacted its own GDPR-like law called the California Consumer Privacy Act of 2018 last June.52 _{This will likely raise constitutional}

48

Id.

49

[Protection of Personal Information Held by Administrative Organs], Act No. 58 of 2003, English translation

available at: http://www.cas.go.jp/jp/seisaku/hourei/data/APPIHAO.pdf; See also Online Privacy Law: Japan,

LIBRARYOF CONGRESS, April 5, 2018, https://www.loc.gov/law/help/online-privacy-law/2017/japan.php.

50

Id.

51

Id. Art. 10(2)(ii)

questions regarding freedom of movement and access within the United States, particularly under the Commerce Clause.53 _{The basic provisions of the bill are focused on businesses, and}

the only exceptions in the text of the bill are regarding the handoff by businesses to law enforcement, but do not address exemptions for law enforcement and investigatory agencies themselves.54 _{The act will become effective on January 1, 2020.}55

These regimes vary in their general scope, the scope of their exceptions, and the ways in which they are enforced, and yet business and other entities who operate in each jurisdiction must make every effort to comply, or potentially face the consequences.56 _{The GDPR in}

particular has been a boon to companies looking to profit on corporate focused compliance models selling services both on analysis and compliance.57 _{Yet for other types of institutions and}

organizations, the path is less clear – particularly when those organizations deal in data which could potentially take advantage of several exceptions in several different laws. Governments large and small have been affected by these laws, but have been less the target of such privacy companies.

III.

International Law Enforcement and the Rising Use of Data

California Consumer Privacy Act of 2018, Senate Bill 1121, Chap. 735 (Ca. 2018) Available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121.

53

See e.g., Eric Goldman, Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome,

and Possibly Unconstitutional, TECH. & MKTG. L. BLOG, July 9, 2018,

https://blog.ericgoldman.org/archives/2018/07/ten-reasons-why-californias-new-data-protection-law-is-unworkable-burdensome-and-possibly-unconstitutional-guest-blog-post.htm; Harper Neidig, Chamber of Commerce Calls for

Congress to Block State Privacy Laws, THE HILL, Sept. 6, 2018,

https://thehill.com/policy/technology/405433-chamber-of-commerce-calls-for-congress-to-block-state-privacy-laws

54

CCPA supra Note 52 at 1798.145. (a)

55

Id. at 1798.145. (a) at 1

56

Charlie Osborne, Facebook Could Face $1.63bn Fine Under GDPR Over Latest Data Breach, ZERO DAY, Oct. 2, 2018, https://www.zdnet.com/article/facebook-could-face-billions-in-fines-under-gdpr-over-latest-data-breach/.

57

See e.g. Nextcloud, GDPR Compliance Kit, https://nextcloud.com/gdpr/ (last visited May 6, 2019), Certkit, GDPR Toolkit, https://certikit.com/products/gdpr-toolkit/ (last visited May 6, 2019), and Citrix Free GDPR Compliance Guide https://www.citrix.com/it-security/form/gdpr-resource-kit/ (last visited May 6, 2019), which provides a free ‘compliance guide’ which is simply a list of tools the company offers to assist the reader in GDPR compliance.

The timing of the GDPR and related international laws in no accident. The world is

becoming a more interconnected place by the minute. Local prosecution is using, analyzing and relying on data in increasingly frequent ways, both from a top-down perspective as well as for improving specific aspects of prosecutorial practice.58 _{Soon it will be the same for international}

prosecution and investigation. While many subjects of international law pre-date widespread use of digital communications and storage, we are seeing a rise in modern instances in which

international actors are called to action. These include modern and sophisticated international actors, which have likely generated millions of documents related to their potentially criminal activity. Just this year America’s involvement in Afghanistan was referred to the ICC for investigation, much to America’s dismay.59 _{This was a modern act committed using modern}

technology. The amount of digital data present in that investigation would likely be unprecedented.

Many non-profit organizations exist to preserve documents and evidence of atrocities, some even focusing specifically on digital evidence and reconstruction.60 _{Individuals increasingly can}

use applications to send reports of violations or atrocities directly to non-profit organizations.61

When non-profits, and not a law enforcement or governmental bodies, are collecting and storing data related to criminal investigations, what is their obligations towards privacy rights? If that data is passed onto law enforcement, what rights are implicated with such a transfer? So far there is no clear answer, though 2016/680 provides a hint at what the future holds, and business practices for data transfer could provide a workable model for future compliance.

International incidents often involve end-user data collection, that is, ordinary citizens capturing information, not government surveillance. This is particularly vulnerable to conflict of privacy law. If a business captured information related to a third party that law enforcement now

58

Robin Olsen et al., Collecting and Using Data for Prosecutorial Decisionmaking, JUSTICE POLICY CENTER

https://www.urban.org/research/publication/collecting-and-using-data-prosecutorial-decisionmaking

59

US Threatens International Criminal Court, HUMAN RIGHTS WATCH, March 15, 2019, https://www.hrw.org/news/2019/03/15/us-threatens-international-criminal-court.

60

See e.g. DIGITAL FORENSICS RESEARCH LABORATORY, https://medium.com/dfrlab (last visited May 7, 2019).

61

E.g., Tanya O’Carroll, Inside the Development of Amnesty’s New Panic Button App, AMNESTY

INTERNATIONAL, https://www.amnestyusa.org/inside-the-development-of-amnestys-new-panic-button-app/ (last

visited May 6, 2019); EYEWITNESS https://www.eyewitnessproject.org/ (last visited May 6, 2019), which was

specifically designed to be used in international investigations, and Stop and Frisk Watch App, NYCLU, https://www.nyclu.org/en/stop-and-frisk-watch-app (last visited May 6, 2019), which has a more domestic focus.

seeks, there are still gaps as to the penalties and responsibilities of the business once that information has been turned over – both from an investigative side and a privacy policy side. Explicit court orders like litigations holds would likely help remove some ambiguity.

Partnering with nonprofits for data collection presents several issues regarding the privacy regimes discussed in section II. The most obvious is veracity. Nonprofits must be able to secure reliability of the evidence, which will include detailed chain of custody requirements.

Because these investigations are relying heavily on third parties, third countries, and non-profits, internal auditing, verification procedures and reporting compliance are essential in creating public faith in the evidence used at trial. Without this trust, there can be little faith in the rulings which result from the use of that data.

Third party data collectors are not the only nonprofits which become involved in this field, however. Privacy advocates had kept a close eye on the GDPR during development, but 2016/680 received little attention in comparison. Beyond a few dedicated non-profit

organizations, the bill remained relatively untouched by outside influence. One organization that helped change the contents of the directive was Privacy International, which worked to close what they viewed as an impermissible gap in the exceptions extended to law enforcement. They also assisted in the enactment of the UK Data Privacy Act, discussed above. Without the

pressure and input of Privacy International, they would have enacted a much weaker law that failed to incorporate the provisions of 2016/680.62

The laws present in the countries explored above can also help protect individuals in regions which lack robust data privacy regimes themselves. Parts of Africa and Southeast Asia are particularly vulnerable to data mining and the misuse of personal data. Kenya has one of the fastest growing internet populations and yet lacks any basic law to regulate its growth.63

Services such as Facebook’s Free Basics, which allowed unlimited access to a select, hand picked set of apps, have been accused of data mining, violating net neutrality, and misusing user data.64 _{Without robust privacy laws in the regions of implementation, however, Facebook can}

62

A Global Standard for Data Protection Law PRIVACY INTERNATIONAL,

https://privacyinternational.org/impact/global-standard-data-protection-law (last visited May 8, 2019)

63

Maggie Fick and Alexis Akwagyiram, In Africa, Scant Data Protection Leaves Internet Users Exposed, REUTERS, April 4, 2018, https://www.reuters.com/article/us-facebook-africa/in-africa-scant-data-protection-leaves-internet-users-exposed-idUSKCN1HB1SZ.

operate relatively unchecked. The potential for fines when those technologies are implemented in the incorrect ways (such as targeting or effecting EU citizens), can help curb the danger. The same can also be transposed onto law enforcement agencies. Without robust regulation or enforcement abilities, local law enforcement operate without a guide. Now, these laws can act as models for the future, as well as encourage law enforcement to cooperate with European

authorities to comply, at least, with the third country compliance requirements. Africa as a large continent with highly diverse populations is not without any internet privacy regime, but

unification is not possible. The Commission of the African Union previously partnered with Internet Society to create guidelines for privacy implementation by African nations, which also mimic the GDPR.65

IV.

A Review of Internal Policies for Data Privacy Compliance

First, this section will lay out an overview of best practices and common requirements of the data protection regimes explored above. This will provide the backdrop for a review of selected international investigatory bodies and their general compliance with the laws. The next section will then provide an overview of non-specific practices which international investigatory bodies can engage with in order to remain compliant in the future, as well as ways the future of privacy law may strain the existing structures.

1. Methodology and Standard

First, there are general guides available for law enforcement use of data and maintaining data compliance under the 2016/680. The most comprehensive free guide from a public source which was not explicitly seeking profit, was the UK government.66 _{They identified five key}

principles for law enforcement to follow to help in 2016/680 compliance specifically: the right to be informed, the right to access, the right to rectification, the right to erasure and the right to restriction, and the right not to be subjected to automated decision-making. This paper attempts

Olivia Solon, 'It's Digital Colonialism': How Facebook's Free Internet Service Has Failed Its Users,

GUARDIAN, July 27, 2017,

https://www.theguardian.com/technology/2017/jul/27/facebook-free-basics-developing-markets.

65

INTERNET SOCIETYANDTHE AFRICAN UNION, PERSONAL DATA PROTECTION GUIDELINESFOR AFRICA, (2018)

https://www.internetsociety.org/resources/doc/2018/personal-data-protection-guidelines-for-africa/.

66

Information Commissioner’s Office, Key Scope and Definitions – At a Glance,

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcement-processing/scope-and-key-definitions/ (last visited May 9, 2019).

to synthesize this guidance with the other privacy laws that exist. One major difference, for example, is a lack of prohibition on automation explicit in non-European privacy constructions. While some local law may incorporate this,67 _{the presence of automation in some level of the}

decision-making process is not in itself dispositive. As an additional reason not to include in the standards enumerated below, many of the bodies discussed in IV.2-3 would simply lack the means to incorporate automation in their processes in a meaningful way. As technology gets cheaper and more accessible, this does become a more pressing concern.

In light of all of the above factors as well as a birds-eye view of the operative privacy regimes, a rough model of compliance for international legal investigators should include, at least, the following four elements, including their corresponding origins:

1. Public Accountability - Publicly available information regarding the data protection

schemes used, preferably in a manner which the general public, and not just regulatory bodies, can access and understand. There is no specific regulation which grounds this suggestion (though the GDPR contains some requirement of transparency), but simply allows easier access and understanding to the rights of those who interact with

investigatory bodies.

2. Data Protection Officer - The creation and involvement of a Data Protection Officer as

required by the GDPR in processing non-investigative data. Such an officer would also fulfill requirements of 2016/680, PIPA, and LGPD.

3. Security and Privacy Policies - Implement safeguards for data in order for records to

remain secure and private, including department policies on retention of information. This would ensure fundamental privacy under Article 8. This would also allow better sharing of data as the data will be more trustworthy, which would help fulfill

requirements in the GDPR that information sharing only occur between competent authorities.

4. Internal accountability - The creation and maintenance of internal memoranda on the

use of data under 2016/680 to aid in future regulation and compliance questions which 67

The right to a jury trial in America, for example, would preclude the use of automation in most criminal contexts. The use of algorithmic sentencing has, however, caused controversy and may also run afoul of 2016/680.

See e.g., Algorithmic Transparency: End Secret Police Profiling, EPIC.ORG https://epic.org/algorithmic-transparency/

may arise. This would fulfill provisions of most of the data policies explored above, particularly in the case of conflict, audit, or complaint. Simply, this is insurance for a body against unwarranted complaints.

2. Examples of European-based International Investigative Bodies

The Office of the Prosecutor for the International Criminal Court (herein “the OTP”) is the prosecutor and investigatory body of the ICC. The prosecutor bears the burden of proof, and the defense is presumed innocent until proven guilty. The Prosecutor also has obligations to both collect and disclose exonerating and incriminating evidence. This naturally results in the collection of data which would likely implicate not only perpetrators of crime, but victims and third parties as well. Under 2016/680, this data is still subject to regulation and protection.

But what is the OTP? Is it law enforcement and simply subject to the regulations of 2016/680, or is it an ‘international organization,’ which would subject its data to additional safeguard and compliance? There is no clear answer, but as an entity existing within the EU, though international, it likely would not fall under the intended meaning of the international organization provisions of 2016/680, which seems more aimed at an international organization operating overseas in a ‘third country,’ to use the terminology of the directive.

Interestingly, the hosting agreement made between the International Criminal Court and the Kingdom of the Netherlands specifies that “[e]xcept as otherwise provided in this Agreement, the laws and regulations of the host State shall apply on the premises of the Court.”68 _{Mostly they}

are exempt from paying taxes and fees.69 _{However papers and other documents held by the}

court, registrar, and prosecutors are ‘inviolable,’ which may exempt the court from Dutch-specific laws on data regulation. It is still unclear if the general European regulations would apply if Dutch law does not. However, because it is an international body headquartered and operating within the EU, the GDPR and/or 2016/680 provisions specifying what happens to ‘international organizations’ likely wouldn’t take hold, as they seem aimed at organizations headquartered outside of Europe. Under the presumption that it is not an international

organization within the meaning of 2016/680, and instead is a law enforcement body, the actual 68

Headquarters Agreement between the International Criminal Court and the Host State, ICC BD/04 01 08, Art. ‐ ‐ ‐ 8.2, (2008)

69

provisions of the office can be examined for compliance with the principles suggested in Section IV.1.70

It seems almost unfair to start with Public Accountability, as it is where the OTP is woefully weakest. None of the public facing documents which outline their data use and handling

processes have been amended since 2009, and the policies of data collection are only laid out in broad terms. There is little to no specificity, and the policies are spread across various internal governing procedures for the court as a whole. Starting with the Regulations of the Office of the Prosecutor,71 _{there is only one regulation which deals directly with data or information}

management:

Whenever possible, evidence shall be stored in an electronic format. Without prejudice to regulation 16 paragraph 2 of the Regulations of the Registry,

originals shall be stored in the vault of the Office after digitisation. All electronic storage shall to the extent possible be compatible with the technical standards as defined by the Registry pursuant to regulation 26 of the Regulations of the Court and regulations 10, 26 and 52 of the Regulations of the Registry, and relevant decisions by the Chamber.”72

This has been included in its entirety to highlight that it does not develop any regulations or guidelines regarding the electronic format – simply points to two separate guidelines. Later, the regulations do specify that evidence generally needs to be registered and secured, but again, there is little guidance or specificity with which the OTP can execute this.73 _{When the regulations for}

the court and the registrar are explored, similarly sparse guidance is found. Regulation 26 of the Regulations of the Court command the court to “establish a reliable, secure, efficient electronic system which supports its daily judicial and operational management and its proceedings.”74 _The

regulations of the registrar generally establish systems by which data is kept, indexed and maintained, as well as how such evidence can be presented at trial, but again lack the specificity

70

Even if the court is an international organization under the statute, the practical effect is simply slightly more stringent data handling requirements and reports on accountability.

71

Regulations of the Office of the Prosecutor, ICC-BD/05-01-09 (2009)

72

Id. at Reg. 23.4.

73

Id. at Reg. 26.

74

needed to create accountability. A bare affirmation of a commitment of security with nothing more is certainly not sufficient, and no process by which auditing or accountability.75

Looking outside of data regulation provisions, the court has established procedures for questioning and maintaining victim information, which is also lacking in specificity, but is better explained:

Victims questioned by the Office shall be informed of the procedures for

participation and access to reparations under the Statute, and of the existence and role of the Victims Participation and Reparations Section of the Registry. They shall also be informed of the fact that the Office shall forward their personal data to the Victims Participation and Reparations Section, subject to the need to protect their safety, well-being and privacy, as well as the integrity of investigations and proceedings.76

The ICC does maintain an Information Protection Policy, but it has not been updated, at least for public viewing, since 2007.77 _{This policy does provide a much more robust overview of the}

types of data handling and the safeguards which the court puts into place. A search of the ICC website, where information on the OTP is also held, for the phrase “Data Protection Officer” yields zero results,78 _{but the Information Protection policy does outline the role of the}

Information Managers, which function similarly to the role of Data Protection Officers under the GDPR. It is unclear if the OTP would need their own officer or manager to oversee the data they maintain and collect. In a webinar in April of last year, just one month prior to the GDPR

compliance deadline, Dr. Jones Lukose, the Information Management Officer for the court, outlined the challenges the ICC as an institution faced with the GDPR. In it he referred to the OTP as ‘our prosecutors,’ implying he oversaw their data use as well. He contextualized the data processing of the court, by going into detail regarding the common methods of sharing data. He claimed the court handled tens of terabytes of information.79

75

Regulations of the Registrar, ICC-BD/03-01-06-Rev.1, Reg. 10, 26, and 52 (2006)

76

Regulations of the Office of the Prosecutor, ICC-BD/05-01-09, Reg. 37 (2009)

77

ICC Information Protection Policy, ICC/AI/2007/001 (2007)

78

Official Website of the ICC, Search Results for “Data Protection Officer,” https://www.icc-cpi.int/Pages/search-results.aspx?k=%22data%20protection%20officer%22 (last visited May 8. 2019).

79

Dr. Jones Lukose, Content Manager - Impact of GDPR on the International Criminal Court, BRIGHTTALK

(Apr. 25, 2018), https://www.brighttalk.com/webcast/9063/314917/content-manager-impact-of-gdpr-on-the-international-criminal-court.

Dr. Jones Lukose spoke in broad strokes about the philosophy of data management within the court, specifically that it was “built around principles of privacy and protection.” While there has been considerable internal debate regarding whether the ICC is subject to the GDPR, Dr. Lukose expressed confidence that perhaps the court is compliant in spirit, even if it isn’t subject to specific provisions.80

The court does, however, seem to have a dedicated commitment to privacy and security in broad strokes. According to Dr. Lukose, they use sophisticated data management systems both as a manager of content and a case/evidence management system.81 _{The information privacy}

policy also outlines a tagging system for classified or sensitive information. These systems predate 2019/680 and GDPR regulations, and retention and sensitivity policies regarding

individual’s data (e.g. individual profiles which a citizen of the EU could control per the GDPR),

seem to be missing. As a law enforcement agency some of that data may be exempt, but it is unclear if they are kept disentangled enough to remain compliant.

Turning to a specifically European investigative body, the difference in compliance to the proposed model is stark. Europol, Europe’s international investigation, security, and counter-terrorism police force, has extremely robust, public information available regarding their use and reliance on data.82 _{They also maintain and update an enticing and user-friendly mini-site.}83 _They

outline in detail both their obligations and how they fulfill them, tailored to the specific provisions within the GDPR. Europol also specifically works with countries outside of the European union when completing investigations. They have information publicly available regarding their Data Protection officer, and also employ Data Protection Supervisors who provide further oversight and granular control.84 _{Without much further review, it is clear that}

they fulfill most of the criteria laid on in Section IV.1. 80

Id.

81

Id.

82

EUROPOL, DATA PROTECTIONAT EUROPOL,

https://www.europol.europa.eu/publications-documents/data-protection-europol (last visited May 8, 2019).

83

EUROPOL DATA PROTECTION OFFICE, DATA PROTECTION MINI-SITE

https://www.europol.europa.eu/st/DPO/#/home (last visited May 8, 2019).

84

EUROPOL, DATA PROTECTIONAND TRANSPARENCY

Interpol is slightly different from a traditional prosecutor who happens to cross borders, as they specialize in cross-territory crimes and the finding of individuals in other countries. They work primarily through partnership and international cooperation, therefore any data they have is likely to fall under transfer provisions of both the GDPR and 2016/680. Interpol also does a significant amount of work outside of Europe’s borders, for example having a large complex in Singapore. The mixture of applicable and non-applicable data could be difficult to manage without the proper data management techniques.

Interpol has both an end-user friendly version of their data policy, though somewhat bare,85

as well as a public copy of their internal data processing regulations, which were updated as of 2016.86 _{Interpol maintains a network of data protection officers (“the only international}

organization” to do so), and continues to work with law enforcement on compliance with data privacy regulations.87 _{Their partnership with EU countries would likely mean better adherence}

to GDPR and 2016/680 provisions, but there is little data on internal monitoring and reporting on individual profiles, though ability to request individual files does exist.

3. The Investigatory Judges of the ECCC

Turning away from bodies with direct connections to Europe, the investigatory judges of the Extraordinary Chambers in the Courts of Cambodia (herein “ECCC”) are next to be evaluated for data protection best practices. The prosecutors of the chamber bring initial charges, but do not do the bulk of the data collection, retention or analysis, which is the job of the investigatory judges. While the legal framework of the court is available to view by the public,88 _{they are not}

organized well by topic, making them difficult to navigate. Further, they are only available in 85

INTERPOL, DATAAND YOUR RIGHTS,

https://www.interpol.int/en/Who-we-are/Commission-for-the-Control-of-INTERPOL-s-Files-CCF/Data-and-your-rights (last visited May 8, 2019).

86

Available at INTERPOL, LEGAL DOCUMENTS,

https://www.interpol.int/en/Who-we-are/Legal-framework/Legal-documents (last visited May 8,2019).

87

INTERPOL, BUILDING INTERNATIONAL LAW ENFORCEMENT TRUST THROUGH DATA PROTECTION, Oct. 24,

2018, https://www.interpol.int/News-and-Events/News/2018/Building-international-law-enforcement-trust-through-data-protection.

88

EXTRAORDINARY CHAMBERSINTHE COURTSOF CAMBODIA, INTERNAL RULESAND REGULATIONS

English, not a local language or even French, another official language of the court.89 _{Once the}

rules and regulations of the court are examined, they also fail to contain any particular provision on data handling beyond basic provisions setting up a database. There is no mention or

affirmation to a protection of privacy for those whose data may be contained in such databases, nor is there a data protection officer or an analogous position designated within the rules. The rules have not been updated since 2015,90 _{so would not have GDPR or 2016/680 provisions built}

in, they also do not incorporate any authority such as PIPA or the Japanese Privacy Act. Without this public availability of information, and a lack of Public accountability, it is nearly impossible to determine compliance without any other measure of privacy.

The ECCC is also unique from the other prosecutors’ offices due to the scope of their

investigations – in many instances, while dealing with crimes the implicate international law, the chambers need not deal much with current cross-border issues. The regimes that had been in place are no more. There is no clear answer on what this means for the privacy determinations as to which regime should rule.

V.

International Law Enforcement Best Practices and Changes

The methodology created in Section IV.1 above aims to integrate as many privacy regimes as possible. Adopting those changes would greatly protect the data of those who interact with international investigatory bodies, even if those bodies are not directly subject to specific privacy laws. The issue, as seen throughout section IV, however, is not mere insufficiently, but at times an unwillingness to comply. These prosecutor offices, would better serve their goals by

complying as soon as possible, creating public information and accountability, using the data protection officer positions to the fullest extent possible, and protecting themselves from

89

EXTRAORDINARY CHAMBERSINTHE COURTSOF CAMBODIA, INTERNAL RULES [REV.9]

https://www.eccc.gov.kh/en/document/legal/internal-rules-rev9 (last visited May 8,2019).

90

potential data breaches. This is not just due to penalties for non-compliance, but for the integrity of international prosecutors’ offices as well. Following a guideline like the one proposed in this paper will also provide a guideline more likely to be followed as best practices. Any attempt to create a unified data protection system which would apply evenly would not only run afoul of local law, but would have significant enforcement issues.

Another possible solution is the creation of authenticating bodies for cross-jurisdictional issues separate from the prosecutors’ offices themselves. This would not replace the need to conduct basic privacy protection procedures, but would be a solution narrowly tailored to cross-border investigations. America has a framework created by the United States Department of Commerce in conjunction with the European Commission and Swiss Administration called Privacy Shield.91 _{This was created in the wake of a case against Facebook in 2015 brought in the}

European Court of Justice which invalidated other data sharing agreements as insufficient under the Data Protection Directive which preceded the GDPR.92 _{This is mostly business focused, but}

it shows that regimes which automate and streamline data sharing between countries are not only possible, but effective.93 _{Privacy Shield is surprisingly modern for an American Government}

creation, and allows businesses to share data in trusted ways. Perhaps important incentives are missing in the law enforcement context, namely in that local governments do not lose business or customers when they are unable to share data outside of their borders. Non-compliant

governments have little enforcement power against non-compliant, extraterritorial independent states. Within the EU there are mechanisms of enforcement, but these are missing on the broader international scale. However, even in the absence of explicit incentives and punishments, similar mechanisms could be developed between countries under different privacy regimes which hope

91

PRIVACY SHIELD, https://www.privacyshield.gov/welcome (last visited May 8,2019).

92

Court of Justice of the European Union Press Release No 117/15, The Court of Justice declares that the

Commission’s US Safe Harbour Decision is invalid (Oct. 6, 2015)

https://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf; See also Mark Scott, Data

Transfer Pact Between U.S. and Europe is Ruled Invalid, N.Y. TIMES, Oct. 6, 2015,

https://www.nytimes.com/2015/10/07/technology/european-union-us-data-collection.html?_r=0

93

Automation and the barriers to its use under European privacy regimes, for better or worse, could be the topic of another paper so the details will not be explored here. For an overview of the ability to automate certain processes within the law enforcement context, see Article 11 of 2016/680, which does place strict limits on the ability for such automation to result in adverse legal affects.

to share data with one another, particularly countries which share data in order to effectuate law enforcement, commerce, and general information exchange regularly.

VI.

Conclusion

The examination of data privacy around the worlds reveals an uncertain landscape. Europe created a far-reaching and expansive data regime in the first major legal construction to regulate the internet across the globe, at least in effect. While Europe and individual countries have attempted to carve out exceptions for law enforcement use, these must be weighed carefully when examining their effect on fundamental rights. These fundamental rights can come into particular question when data regimes vary in requirements across jurisdiction. For international investigatory bodies, most of their data is cross-jurisdictional. Choice of law as to the office itself is paramount. For some of the easiest cases, the prosecutors’ offices explored in section IV, supra, which have clear reason to follow the GDPR and directive 2016/680, compliance is disappointingly low, almost a year after the deadline for both laws. This begs a question – how can we hope for these offices to protect the changing face of rights across the globe when they cannot even protect our data?

It is imperative that offices act swiftly to comply with these laws. They cannot hope to shape the future or have a hand in best practices if they themselves do not participate in the creation process. As state and local investigations increasingly rely upon digital data, so too will international investigations. It is only a matter of time before techniques of data compliance become the norm. It is in the world’s best interest that these investigators change and adapt now.

I leave you now with the wise words of Jones Lukose, Information Management Officer of the ICC:

We now live in a world where small sets of information can alter the economies of the most powerful organisation and states on the planet. It is a world, where small streams of sensitive information can digitally leak and cause violent reactions from people living far and beyond the source. Tiny words or images transported via exotic technology can lead to wide-spread panic across whole populations. . . It is a world where the same information is interpreted differently in space and time. It is a world where information is presented in constant flux with the only constant being surprise.

Whatever your personal convictions, I challenge you to consider that we need a new way of looking at information management. It won’t help to retreat to our old maps and models because the more frustrated we become, we need new

information management techniques to navigate the chaos, filter the wrong and point us to the significant.94

94

Rafael Moscatel, Directing The Flow Of Information – An Interview with Jones Lukose of The International Criminal Court, IG PERSPECTIVES, Mar. 7, 2018,