Annexes to COM(2021)718 - Authorisation of Member States to sign the Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2021)718 - Authorisation of Member States to sign the Second Additional Protocol to the Convention on Cybercrime on enhanced ... |
|---|---|
| document | COM(2021)718  |
| date | November 25, 2021 |
(2) European Union Serious and Organised Crime Threat Assessment 2021 (EU SOCTA 2021).
(3) SWD(2018) 118 final.
(4) COM(2018)225 and 226 final.
(5) All except Ireland, which has signed but not ratified the Convention, but nevertheless committed to pursuing accession.
(6) Rules of Procedure of the Cybercrime Convention Committee (T-CY (2013)25 rev), available at www.coe.int/cybercrime.
(7) December 2019 United Nations General Assembly (UNGA) Resolution 74/247 on ‘Countering the use of information and communications technologies for criminal purposes’.
(8) JOIN(2020) 81 final.
(9) See for instance the Global Action on Cybercrime Extended (GLACY)+, via https://www.coe.int/en/web/cybercrime/glacyplus.
(10) Final report of the Cybercrime Convention Committee’s Cloud Evidence Group ‘Criminal justice access to electronic evidence in the cloud: Recommendations for consideration by the T-CY’ of 16 September 2016.
(11) https://rm.coe.int/t-cy-terms-of-reference-protocol/1680a03690
(12) https://www.consilium.europa.eu/en/press/press-releases/2018/10/18/20181018-european-council-conslusions/
(13) COM(2019) 71 final.
(14) EDPS Opinion regarding the participation in the negotiations in view of a Second Additional Protocol to the Budapest Cybercrime Convention of 2 April 2019, Opinion 3/2019.
(15) Council Decision with reference 9116/19.
(16) COM(2020) 605 final.
(17) JOIN(2020) 81 final.
(18) COM(2021) 170 final.
(19) European Parliament resolution of 10 June 2021 on the EU’s Cybersecurity Strategy for the Digital Decade.
(20) Reference L 304/47.
(21) https://rm.coe.int/0900001680a2aa42
(22) See paragraph 2 of the explanatory report to the Protocol.
(23) Directive 2010/64/EU of the European Parliament and of the Council of 20 October 2010 on the right to interpretation and translation in criminal proceedings, OJ L 280, 26.10.2010, p. 1; Directive 2012/13/EU of the European Parliament and of the Council of 22 May 2012 on the right to information in criminal proceedings, OJ L 142, 1.6.2012, p. 1; Directive 2013/48/EU of the European Parliament and of the Council of 22 October 2013 on the right of access to a lawyer in criminal proceedings and in European arrest warrant proceedings, and on the right to have a third party informed upon deprivation of liberty and to communicate with third persons and with consular authorities while deprived of liberty, OJ L 294, 6.11.2013, p. 1; Directive (EU) 2016/1919 of the European Parliament and of the Council of 26 October 2016 on legal aid for suspects and accused persons in criminal proceedings and for requested persons in European arrest warrant proceedings, OJ L 297, 4.11.2016, p. 1; Directive (EU) 2016/800 of the European Parliament and of the Council of 11 May 2016 on procedural safeguards for children who are suspects or accused persons in criminal proceedings, OJ L 132, 21.5.2016, p. 1; Directive (EU) 2016/343 of the European Parliament and of the Council of 9 March 2016 on the strengthening of certain aspects of the presumption of innocence and of the right to be present at the trial in criminal proceedings, OJ L 65, 11.3.2016, p. 1; Directive 2012/13/EU of the European Parliament and of the Council of 22 May 2012 on the right to information in criminal proceedings.
(24) See Court of Justice (Grand Chamber), Opinion 1/15, ECLI:EU:C:2017:592, paragraph 220. See also EDPB contribution to the consultation on a draft second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), 13 November 2019, p. 6 (“The competent national authorities to whom access to the data has been granted must notify the persons affected, under the applicable national procedures, as soon as that notification is no longer liable to jeopardize the investigations being undertaken by those authorities. … Notification is necessary to enable the persons affected to exercise, inter alia, their right to a legal remedy and their data protection rights in relation to the processing of their data”).
(25) This is why the Council Decision of 21 May 2019 authorising the opening of negotiations in view of an agreement between the European Union and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters (9114/19) in its negotiating directives contains a number of additional data protection safeguards. In particular, the negotiating directives stipulate that “[t]he agreement should complement the Umbrella Agreement with additional safeguards that take into account the level of sensitivity of the categories of data concerned and the unique requirements of the transfer of electronic evidence directly by service providers rather than between authorities and transfers from competent authorities directly to service providers.”
(26) See also Explanatory Report to the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 10 October 2018, points 106-107.
(27) COM(2018) 225 and 226 final.
(28) EDPS Opinion regarding the participation in the negotiations in view of a Second Additional Protocol to the Budapest Cybercrime Convention of 2 April 2019, Opinion 3/2019.
(29) Including ‘EDPB contribution to the consultation on a draft second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention) of 13 November 2019’; ‘Statement 02/201 on new draft provisions of the second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention) as adopted on 2 February 2021’; ‘EDPB Contribution to the 6th round of consultations on the draft Second Additional Protocol to the Council of Europe Budapest Convention on Cybercrime of 4 May 2021’.
(30) Allowing Parties to reserve the right not to apply Article 7 (disclosure of subscriber data).
(31) Allowing Parties to reserve the right not to apply Article 7 (disclosure of subscriber data) to certain types of access numbers if that would be inconsistent with the fundamental principles of its domestic legal system.
(32) Allowing Parties to declare that the order under Article 7, paragraph 1 (disclosure of subscriber data), must be issued by, or under the supervision of, a prosecutor, or other judicial authority, or otherwise be issued under independent supervision.
(33) Allowing Parties to notify the Secretary General of the Council of Europe that when an order is issued under Article 7, paragraph 1 (disclosure of subscriber data), to a service provider in its territory, the Party requires, in every case or in identified circumstances, simultaneous notification of the order, the supplemental information and a summary of the facts related to the investigation or proceeding.
(34) Allowing Parties to reserve the right not to apply Article 8 (giving effect to orders from another Party) to traffic data.
(35) See paragraph 147 of the explanatory report to the Protocol that determines that ‘[a] Party that reserves to this article is not permitted to submit orders for traffic data to other Parties under [Article 8,] paragraph 1’.
(36) Allowing Parties to declare that additional supporting information is required to give effect to orders under Article 8, paragraph 1 (giving effect to orders from another Party).
(37) Allowing Parties to declare that they will not execute requests under Article 9, paragraph 1, point a, (expedited disclosure of computer data in an emergency) seeking only the disclosure of subscriber data.
(38) Allowing Parties to communicate the contact details of the authority that it designates to receive notifications under Article 7, paragraph 5, point a, and perform the actions described in Article 7, paragraph 5, points b, c and d (disclosure of subscriber data).
(39) Allowing Parties to communicate contact information of the authorities designated to submit and to receive orders under Article 8 (giving effect to orders from another Party). In line with requirements under Regulation (EU) 2017/1939, the Member States that participate in the enhanced cooperation on the establishment of the European Public Prosecutor’s Office (EPPO) shall include the EPPO in the communication.
(40) Allowing Parties to communicate the authority or authorities that should, respectively, be notified in case of a security incident, or be contacted to seek prior authorisation in case of onward transfers to another State or international organisation.
(41) See above footnote 24.
(42) https://www.coe.int/en/web/cybercrime/protocol-consultations
(43) SWD(2018) 118 final.
(44) See for instance the Cybercrime Convention Committee Guidance Note 10 of 1 March 2017 on production orders for subscriber information (Article 18 Budapest Convention).
(45) See for instance the Resolution of the Board of the Internet Cooperation for Assigned Names and Numbers (ICANN) of 15 May 2019 on the Recommendations on the Temporary Specification for gTLD registration data, available at www.icann.org.