52021PC0719

EUROPEAN COMMISSION

Brussels, 25.11.2021

COM(2021) 719 final

2021/0383(NLE)

Proposal for a

COUNCIL DECISION

authorising Member States to ratify, in the interest of the European Union, the Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence

EXPLANATORY MEMORANDUM

1.THE SUBJECT OF THE PROPOSAL

The present proposal concerns the decision authorising Member States to ratify, in the interest of the European Union, the Second Additional Protocol on enhanced co-operation and disclosure of electronic evidence to the Council of Europe ‘Budapest’ Convention on Cybercrime (‘the Protocol'). 1 The aim of the Protocol is to provide common rules at international level to enhance co-operation on cybercrime and the collection of evidence in electronic form for criminal investigations or proceedings.

This proposal complements a separate proposal from the Commission for a Decision of the Council of the European Union (‘the Council’) authorising Member States to sign the Protocol in the interest of the European Union.

Cybercrime continues to represent a considerable challenge to our society. Notwithstanding the efforts of law enforcement and judicial authorities, cyberattacks, including ransomware attacks, are increasing and are becoming more complex. 2 In particular the borderless nature of the internet makes cybercrime investigations almost always cross-border in nature, thus requiring close cooperation between authorities in different countries.

Electronic evidence is increasingly important for criminal investigations. The Commission estimates that nowadays law enforcement and judicial authorities need access to electronic evidence in 85% of criminal investigations, including cybercrime. 3 Evidence of any criminal offence is increasingly held in electronic form by service providers in foreign jurisdictions, and an effective criminal justice response requires appropriate measures to obtain such evidence to uphold the rule of law.

Efforts to improve cross-border access to electronic evidence for criminal investigations are undertaken around the globe, at national, at European Union 4 and at international level, including through the Protocol. It is important to ensure compatible rules at international level to avoid conflicts of law when cross-border access to electronic evidence is sought.

2.CONTEXT OF THE PROPOSAL

2.1.Background

The Council of Europe ‘Budapest’ Convention on Cybercrime (CETS No. 185) (‘the Convention’) aims at facilitating the fight against criminal offences making use of computer networks. It (1) contains provisions harmonising domestic criminal substantive law elements of offences and connected provisions in the area of cybercrime, (2) provides for domestic criminal procedural law powers necessary for the investigation and prosecution of such offences as well as other offences committed by means of a computer system or where the evidence is in electronic form, and (3) aims to set up a fast and effective regime of international cooperation.

The Convention is open to Member States of the Council of Europe, and non-members upon invitation. Currently, 66 countries are Parties to the Convention, including 26 European Union Member States. 5 The Convention does not envisage that the European Union may accede to the Convention. The European Union is however recognised as an Observer Organisation to the Cybercrime Convention Committee (T-CY). 6

Notwithstanding efforts to negotiate a new cybercrime convention at the level of the United Nations 7 , the Budapest Convention remains the main multilateral Convention for the fight against cybercrime. The Union consistently supports the Convention 8 , also in the framework of the financing of capacity building programmes. 9

Following proposals from the Cloud Evidence Group 10 , the Cybercrime Convention Committee adopted several recommendations to address, including through the negotiation of a Second Additional Protocol to the Convention on Cybercrime on enhanced international cooperation, the challenge that electronic evidence relating to cybercrime and other offences is increasingly held by service providers in foreign jurisdictions, while the powers of law enforcement remain limited by territorial boundaries. In June 2017, the Cybercrime Convention Committee approved the Terms of Reference for the preparation of the Second Additional Protocol during the period from September 2017 to December 2019. 11 In view of the need for more time to finalise discussions, as well as the limitations posed by the Covid-19 pandemic in 2020 and 2021, the Cybercrime Convention Committee subsequently extended the terms of reference twice, until December 2020, and subsequently until May 2021.

Following the call from the European Council in its conclusions of 18 October 2018 12 , the Commission adopted on 5 February 2019 a Recommendation for a Council Decision authorising the Commission to participate, on behalf of the European Union, in the negotiations on a second Additional Protocol to the Council of Europe Convention on Cybercrime. 13 The European Data Protection Supervisor adopted an opinion regarding the Recommendation on 2 April 2019. 14 With a decision of 6 June 2019, the Council of the European Union authorised the Commission to participate, on behalf of the European Union, in the negotiations for the Second Additional Protocol. 15

As expressed in the 2020 EU Security Union Strategy 16 , the 2020 EU Cybersecurity Strategy for the Digital Decade 17 and the 2021 EU Organised Crime Strategy 18 , the Commission has been committed to the swift and successful conclusion of the negotiations of the Protocol. The European Parliament also recognised the need to conclude the work on the Protocol in its 2021 Resolution on the EU Cybersecurity Strategy for the Digital Decade. 19

The Commission participated, on behalf of the European Union, in the negotiations for the Protocol in line with the Decision of the Council of the European Union. The Commission consistently consulted the Council’s special committee for the negotiations on the Union position.

In line with the Framework Agreement on relations between the European Parliament and the European Commission 20 , the Commission also kept the European Parliament informed of the negotiations by means of written reports and oral presentations.

At the plenary meeting of the Cybercrime Convention Committee of 28 May 2021, the Cybercrime Convention Committee approved the draft Protocol at its level and forwarded the draft for adoption by the Committee of Ministers of the Council of Europe. 21 On 17 November 2021, the Committee of Ministers of the Council of Europe adopted the Protocol.

2.2.The Second Additional Protocol

The aim of the Protocol is to enhance co-operation on cybercrime and the collection of evidence in electronic form of a criminal offence for the purpose of specific criminal investigations or proceedings. The Protocol recognises the need for increased and more efficient co-operation between States and with the private sector, and for greater clarity and legal certainty for service providers and other entities regarding the circumstances in which they may respond to requests from criminal justice authorities in other Parties for the disclosure of electronic evidence.

The Protocol also recognises that effective cross-border cooperation for criminal justice purposes, including between public sector authorities and private sector entities, requires effective conditions and strong safeguards for the protection of fundamental rights. For that purpose, the Protocol follows a rights-based approach and provides for conditions and safeguards in line with international human rights instruments, including the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms. As electronic evidence often concerns personal data, the Protocol also includes strong safeguards for the protection of privacy and personal data.

The provisions referred to in the following subparagraphs are of particular importance for the Protocol. The Protocol is accompanied by a detailed explanatory report. Although the explanatory report does not constitute an instrument providing an authoritative interpretation of the Protocol, it is intended to ‘guide and assist Parties’ in the application of the Protocol. 22

2.2.1.Common provisions

Chapter I of the Protocol provides for common provisions. Article 2 determines the scope of application of the Protocol, in line with the scope of the Convention: it applies to specific criminal investigations or proceedings concerning criminal offences related to computer systems and data, and to the collection of evidence in electronic form of a criminal offence.

In Article 3, definitions are included with regard to ‘central authorities’, ‘competent authorities’, ‘emergency situations’, ‘personal data’ and ‘transferring Party’. These definitions apply to the Protocol, together with definitions included in the Convention.

Article 4 determines the languages in which Parties should submit orders, requests or notifications under the Protocol.

2.2.2.Cooperation measures

Chapter II of the Protocol provides for measures to enhance cooperation. First, Article 5, paragraph 1, determines that Parties shall cooperate on the basis of the Protocol to the widest extent possible. Article 5, paragraphs 2 to 5, determines the application of the measures of the Protocol in relation to existing mutual assistance treaties or arrangements. Article 5, paragraph 7, sets out that the measures in Chapter II shall not restrict cooperation between Parties, or with service providers or entities, through other applicable agreements, arrangements, practices, or domestic law.

Article 6 provides a basis for the direct cooperation between competent authorities in one Party and entities providing domain name registration services in another Party, for the disclosure of domain name registration data.

Article 7 provides a basis for the direct cooperation between competent authorities in one Party and service providers in another Party for the disclosure of subscriber data.

Article 8 provides a basis for enhanced cooperation between authorities for the disclosure of computer data.

Article 9 provides a basis for the cooperation between authorities for the disclosure of computer data in emergency situations.

Article 10 provides a basis for mutual legal assistance in emergency situations.

Article 11 provides a basis for cooperation by video conference.

Article 12 provides a basis for joint investigations and joint investigation teams.

2.2.3.Safeguards

The Protocol follows a rights-based approach with specific conditions and safeguards, some of which are incorporated in the specific cooperation measures, as well as in Chapter III of the Protocol. Article 13 of the Protocol requires Parties to ensure that powers and procedures are subject to an appropriate level of protection for fundamental rights, which, in line with Article 15 of the Convention, ensures the application of the principle of proportionality.

Article 14 of the Protocol provides for the protection of personal data, as defined in Article 3 of the Protocol in line with the Amending Protocol to the Convention for the Protection of Individuals with Regard to the Processing of Personal Data (CETS 223) (Convention 108+) and Union law.

On that basis, Article 14, paragraphs 2 to 15, set out fundamental data protection principles, including purpose limitation, legal basis, data quality and rules applicable to the processing of special categories of data, obligations applicable to controllers, including on retention, keeping of records, security and as regards onward transfers, enforceable individual rights, including on notification, access, rectification and automated decision-making, independent and effective supervision by one or more authorities as well as administrative and judicial redress. The safeguards cover all forms of cooperation set out in the Protocol, with adaptations where necessary to address the specific features of direct cooperation (e.g. in the context of breach notification). The exercise of certain individual rights can be delayed, limited or refused where necessary and proportionate to pursue important public interest objectives, in particular to prevent risk to an ongoing law enforcement investigations, which is also in line with Union law.

Article 14 of the Protocol should also be read in conjunction with Article 23 of the Protocol. Article 23 strengthens the effectiveness of the safeguards in the Protocol by providing that the Cybercrime Convention Committee will assess the implementation and application of the measures taken in national legislation to give effect to the provisions of the Protocol. In particular, Article 23, paragraph 3 explicitly acknowledges that the implementation by the Parties of Article 14 shall be assessed once ten Parties to the Convention have expressed their consent to be bound to the Protocol.

As a further safeguard, pursuant to Article 14, paragraph 15, where a Party has substantial evidence that another Party is in systematic or material breach of the safeguards set out in the Protocol, it may suspend the transfer of personal data to that Party following consultation (which is not required in case of urgency). Any personal data transferred prior to suspension shall continue to be treated in accordance with the Protocol.

Finally, in view of the multilateral character of the Protocol, Article 14, paragraph 1, point b and point c of the Protocol allow Parties in their bilateral relationships to agree, under certain conditions, on alternative ways to ensure the protection of personal data transferred under the Protocol. While the safeguards of Article 14, paragraphs 2 to 15 apply by default to Parties receiving personal data, on the basis of Article 14, paragraph 1, point b, Parties mutually bound by an international agreement establishing a comprehensive framework for the protection of personal data in line with the applicable requirements of the legislation of the Parties concerned may also rely on that framework. This concerns for instance Convention 108+ (for those Parties that allow data transfers to other Parties under that convention) or the EU-U.S. Umbrella Agreement (within its scope of application, i.e. for the transfer of personal data between authorities and, in combination with a specific transfer arrangement between the U.S. and the EU, for direct cooperation between authorities and service providers). In addition, on the basis of Article 14, paragraph 1, point c, Parties may also mutually determine that the transfer of personal data takes place on the basis of other agreements or arrangements between the Parties concerned. For the EU Member States, such an alternative agreement or arrangement may only be relied upon for data transfers under the Protocol if such transfers comply with the requirements of Union data protection law, namely Chapter V of Directive (EU) 2016/680 (the Law Enforcement Directive) and (for direct cooperation between authorities and service providers under Articles 6 and 7 of the Protocol) Chapter V of Regulation (EU) 2016/679 (the General Data Protection Regulation).

2.2.4.Final provisions

Chapter IV of the Protocol provides for final provisions. Amongst other things, Article 15, paragraph 1, point a, ensures that Parties may establish their relations on the matters set out in the Protocol otherwise, in line with Article 39, paragraph 2, of the Convention. Article 15, paragraph 1, point b, ensures that EU Member States that are Party to the Protocol can continue to apply Union law in their mutual relations. Article 15, paragraph 2, also determines that Article 39, paragraph 3, of the Convention applies to the Protocol.

Article 16, paragraph 3, indicates that the Protocol will enter into force once five Parties to the Convention have expressed their consent to be bound by the Protocol.

Article 19, paragraph 1, provides that Parties may avail themselves of reservations in relation to Article 7, paragraphs 9 point a and 9 point b, Article 8, paragraph 13, and Article 17. Article 19, paragraph 2, provides that Parties may make declarations in relation to Article 7, paragraphs 2, point b, and 8, Article 8, paragraph 11, Article 9, paragraph 1, point b, and 5, Article 10, paragraph 9, Article 12, paragraph 3, and Article 18, paragraph 2. Article 19, paragraph 3, determines that a Party shall make declarations, notifications or communications identified in Article 7, paragraphs 5 point a and point e, Article 8, paragraphs 4 and 10 points a and b, Article 14, paragraphs 7 point c and 10 point b, and Article 17, paragraph 2.

Article 23, paragraph 1, provides a basis for consultations amongst Parties, including through the Cybercrime Convention Committee, in line with Article 46 of the Convention. Article 23, paragraph 2, also provides a basis for the assessment of the use and implementation of the provisions of the Protocol. Article 23, paragraph 3, ensures that the assessment of the use and implementation of Article 14 on data protection shall commence once ten Parties have expressed their consent to be bound by the Protocol.

2.3.Union law and policy in the area

The field governed by the Protocol is largely covered by common rules based on Articles 82(1) and 16 TFEU. The current European Union legal framework includes in particular instruments on law enforcement and judicial cooperation in criminal matters, such as Directive 2014/41/EU regarding the European Investigation Order in criminal matters, the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union and Council Framework Decision 2002/465/JHA on joint investigation teams. Externally, the European Union has concluded a number of bilateral agreements between the Union and third countries, such as the Agreements on Mutual Legal Assistance between the European Union and the United States of America, between the European Union and Japan and between the European Union and Norway and Iceland. The current European Union legal framework also includes Regulation (EU) 2017/1939 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’). Member States that participate in the enhanced cooperation should ensure that the EPPO can, in the exercise of its competences as provided for by Articles 22, 23 and 25 of Regulation (EU) 2017/1939, seek cooperation under the Protocol in the same way as national prosecutors of those Member States. These instruments and agreements relate, in particular, to Articles 8, 9, 10, 11 and 12 of the Protocol.

Moreover, the Union has adopted several directives that reinforce procedural rights of suspects and accused persons. 23 These instruments relate, in particular, to Articles 6, 7, 8, 9, 10, 11, 12 and 13 of the Protocol. One particular set of safeguards concerns the protection of personal data, which is a fundamental right enshrined in the EU Treaties and in the Charter of Fundamental Rights of the European Union. Personal data may only be processed in accordance with the Regulation (EU) 2016/679 (the General Data Protection Regulation) and Directive (EU) 2016/680 (the Law Enforcement Directive). The fundamental right of everyone to the respect for his or her private and family life, home and communications includes the respect for the privacy of one’s communications as an essential element. Electronic communications data can only be processed in accordance with Directive 2002/58/EC (the ePrivacy Directive). These instruments relate, in particular, to Article 14 of the Protocol.

Article 14, paragraphs 2 to 15, of the Protocol provides for appropriate data protection safeguards within the meaning of the Union data protection rules, in particular Article 46 of the General Data Protection Regulation and Article 37 of the Law Enforcement Directive, and relevant case law of the European Court of Justice. In line with Union law requirements 24 and in order to guarantee the effectiveness of the safeguards set out in Article 14 of the Protocol, Member States should ensure notification of individuals whose data have been transferred, subject to certain restrictions, e.g. to avoid jeopardising ongoing investigations. Article 14, paragraph 11, point c of the Protocol provides a basis for Member States to fulfil this requirement.

The compatibility of Article 14, paragraph 1, of the Protocol with Union data protection rules also requires that Member States consider the following with regard to possible alternative ways to ensure the appropriate protection of personal data transferred under the Protocol. With regard to other international agreements establishing a comprehensive framework for the protection of personal data in line with the applicable requirements of the legislation of the Parties concerned, under Article 14, paragraph 1, point b, Member States should take into account that, for direct cooperation, the EU-U.S. Umbrella Agreement needs to be complemented with additional safeguards – to be provided in a specific transfer arrangement between the U.S. and the EU/its Member States – that take into account the unique requirements of the transfer of electronic evidence directly by service providers rather than between authorities. 25

Also, under Article 14, paragraph 1, point b, of the Protocol, Member States should consider that, for EU Member States that are Parties to Convention 108+, that Convention by itself does not provide an appropriate basis for cross-border data transfers under the Protocol to other Parties to that Convention. In this respect, they should consider the last sentence of Article 14, paragraph 1, of Convention 108+ 26 .

Finally, with regard to other agreements or arrangements under Article 14, paragraph 1, point c, Member States should consider that they may only rely on such other agreements or arrangements if either the European Commission has adopted an adequacy decision pursuant to Article 45 of the General Data Protection Regulation (EU) 2016/679 or Article 36 of the Law Enforcement Directive (EU) 2016/680 for the third country concerned that covers the respective data transfers, or if such other agreement or arrangement itself ensures appropriate data protection safeguards pursuant to Article 46 of the General Data Protection Regulation or Article 37, paragraph 1, point a, of the Law Enforcement Directive.

Account must be taken not only of Union law as it currently stands in the area concerned, but also of its future development, in so far as this is foreseeable at the time of analysis. The area covered by the Protocol is of direct relevance to foreseeable future developments of Union law. In this regard, the Commission’s proposals on cross-border access to electronic evidence of April 2018 should be noted. 27 These instruments relate, in particular, to Articles 6 and 7 of the Protocol.

The Commission, while participating in the negotiations on behalf of the Union, ensured that the Protocol is fully compatible with Union law and Member States’ obligations under it. In particular, the Commission ensured the Protocol provisions allow Member States to respect fundamental rights, freedoms and general principles of Union law as enshrined in the EU Treaties and Charter of Fundamental Rights, including proportionality, procedural rights, the presumption of innocence and the rights of defence of persons subject to criminal proceedings as well as privacy and the protection of personal data and electronic communications data when such data is processed, including transfers to law enforcement authorities in countries outside the European Union, and any obligations incumbent on law enforcement and judicial authorities in this respect. The Commission also took into account the opinion of the European Data Protection Supervisor 28 , and of the European Data Protection Board. 29

Furthermore, the Commission ensured that the provisions in the Protocol and the Commission’s e-evidence proposals are compatible, including as the draft legislation evolved in the discussions with the co-legislators, and the Protocol does not give rise to conflicts of law. In particular, the Commission ensured that the Protocol includes appropriate data protection and privacy safeguards, which allows EU service providers to comply with their obligations under EU data protection and privacy laws, insofar as the Protocol provides a legal ground for data transfers in reaction to orders or requests issued by an authority from a non-EU Party to the Protocol requiring an EU controller or processor to disclose personal data or electronic communications data.

2.4.Reservations, declaration, notification and communications, and other considerations

The Protocol provides a basis for Parties to avail themselves of certain reservations, and to make declarations, notification or communications in relation to certain articles. Member States should take a uniform approach to certain reservations and declarations, notifications and communications as set out in the Annex to this Decision. To ensure compatibility of the Protocol’s implementation with Union law, EU Member States should take the position set out below with respect to those reservations and declarations. Where the Protocol provides a basis for other reservations, declarations, notifications or communications, this proposal authorises Member States to consider and make their own reservations, declarations, notifications or communications.

In order to ensure compatibility between the Protocol’s provisions and relevant Union law and policies, Member States should not avail themselves of the reservations pursuant to Article 7, paragraphs 9, point a 30 and point b 31 . In addition, Member States should make the declaration pursuant to Article 7, paragraph 2, point b 32 , and the notification pursuant to Article 7, paragraph 5, point a 33 . The absence of these reservations, and the submission of the declaration and notification, are important to ensure compatibility of the Protocol with the Commission’s e-evidence legislative proposals, including as the draft legislation evolves in the discussions with the co-legislators.

In addition, in order to ensure a uniform application of the Protocol by EU Member States in their cooperation with Parties that are not EU Member States, Member States are encouraged not to avail themselves of the reservation pursuant to Article 8, paragraph 13 34 , also because such a reservation would have reciprocal effect 35 . Member States should make the declaration pursuant to Article 8, paragraph 4, to ensure effect can be given to orders in case additional supporting information is needed, e.g. about the circumstances of the case at hand in order to assess proportionality and necessity. 36

Member States are also encouraged to refrain from making the declaration under Article 9, paragraph 1, point b, 37 in order to ensure an efficient application of the Protocol.

Member States should make the communications pursuant to Article 7, paragraph 5, point e 38 , Article 8, paragraph 10, point a and point b 39 , Article 14, paragraph 7, point c, and paragraph 10, point b, to ensure an overall effective application of the Protocol. 40

Finally, Member States should also take the necessary measures pursuant to Article 14, paragraph 11, point c, to ensure that the receiving Party is informed at the time of transfer of the obligation under Union law to provide notification to the individual to whom the data relates 41 , and appropriate contact details to allow the receiving Party to inform the competent authority in the EU Member State once confidentiality restrictions no longer apply and notification can be provided.

2.5.Reason for the proposal

The Protocol will enter into force once five Parties have expressed their consent to be bound by the Protocol in accordance with the provisions of Article 16, paragraphs 1 and 2. The signing ceremony of the Protocol is envisaged to take place in March 2022.

EU Member States should take the necessary steps to ensure swift entry into force and ratification of the Protocol, which is important in view of a number of factors.

First, the Protocol will ensure that law enforcement and judicial authorities are better equipped to obtain electronic evidence necessary for criminal investigations. In view of the increasing importance of electronic evidence for criminal investigations, there is an urgent need of law enforcement and judicial authorities to have the right instruments to obtain access to electronic evidence in an effective manner to ensure they can effectively fight crime online.

Second, the Protocol will ensure that such measures to obtain access to electronic evidence will be used in a manner that allow Member States to respect fundamental rights, including criminal procedural rights, the right to privacy and the right to the protection of personal data. In the absence of clear rules at international level, existing practices may pose challenges in view of legal certainty, transparency, accountability and respect of fundamental rights and procedural guarantees of the suspects in criminal investigations.

Third, the Protocol will resolve and prevent conflicts of law, affecting both authorities and private sector service providers and other entities, by providing compatible rules at international level for cross-border access to electronic evidence.

Fourth, the Protocol will demonstrate the continued importance of the Convention as the main multilateral framework for the fight against cybercrime. This will be of key importance in the process following the United Nations General Assembly (UNGA) Resolution 74/247 of December 2019 on ‘Countering the use of information and communications technologies for criminal purposes’ that established an open-ended ad hoc intergovernmental committee of experts to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes.

3.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

·Legal basis

The competence of the Union to legislate on matters on the facilitation of the cooperation between judicial or equivalent authorities in relation to proceedings in criminal matters and the enforcement of decisions is based on Article 82(1) TFEU. The competence of the Union for matters on the protection of personal data is based on Article 16 TFEU.

In line with Article 3(2) TFEU the Union has exclusive competence for the conclusion of an international agreement insofar as such conclusion may affect common EU rules or alter their scope. The provisions of the Protocol fall within an area covered to a large extent by common rules as set out in section 2.3 here above.

The Protocol thus falls within exclusive external competence of the Union. The ratification of the Protocol by Member States, in the interest of the Union, may thus take place on the basis of Articles 16, 82(1) and 218(6) TFEU.

·Subsidiarity (for non-exclusive competence)

Not applicable.

·Proportionality

The Union’s objectives with regard to this proposal as set out in section 2.5 here above can only be achieved by entering into a binding international agreement providing for the necessary cooperation measures while ensuring appropriate protection of fundamental rights. The Protocol achieves this objective. The provisions of the protocol are limited to what is necessary to achieve its main objectives. Unilateral action does not provide an alternative as it would not provide a sufficient basis for the cooperation with non-EU countries and could not ensure the necessary protection of fundamental rights. Also, adhering to a multilateral agreement such as the Protocol, which the Union has been able to negotiate, is more efficient than entering into negotiations with individual non-EU countries at bilateral level. Under the assumption that all 66 Parties, as well as future new Parties, to the Convention will ratify the Protocol, the Protocol will provide a common legal framework for EU Member States’ cooperation with their most important international partners in the fight against crime.

·Choice of the instrument

Not applicable.

4.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

·Ex-post evaluations/fitness checks of existing legislation

Not applicable.

·Stakeholder consultations

The Council of Europe organised six rounds of public consultations in relation to the Protocol negotiations, in July and November 2018, February and November 2019, December 2020, and May 2021. 42 Parties considered the input received as part of these consultations.

The Commission, in its role as negotiator on behalf of the Union, also exchanged views with data protection authorities, and organised targeted consultation meetings throughout 2019 and 2021 with civil society organisations, service providers and trade associations. The Commission took into account the input received from these exchanges.

·Collection and use of expertise

In the process of the negotiations, the Commission consistently consulted the Council’s special committee for the negotiations in line with the Decision of the Council of the European Union of 6 June 2019 authorising the Commission to participate in the negotiations on behalf of the Union, which provided an opportunity for Member State experts to contribute to the process of the formulation of the Union position. A number of Member State experts also continued to participate in the negotiations, alongside the Commission’s participation on behalf of the Union. Stakeholder consultations also took place (see here above).

·Impact assessment

An impact assessment was carried out in 2017-2018 to accompany the Commission’s e-evidence proposals. 43 In this context, the negotiation for an agreement on a Second Additional Protocol to the Budapest Convention on Cybercrime was part of the preferred option. Relevant impacts are moreover presented in the present explanatory memorandum.

·Regulatory fitness and simplification

The Protocol may have implications for certain categories of service providers, including Small and Medium Enterprises (SMEs), as they may be subject to requests and orders for electronic evidence under the Protocol. However, currently, these providers will often already be subject to such requests through other existing channels, sometimes transmitted via different authorities, including on the basis of the Convention 44 , other Mutual Legal Assistance treaties, or other frameworks including internet governance multi-stakeholder policies. 45 Also, service providers, including SMEs, will benefit from a clear legal framework at international level and a common approach by all Parties to the Protocol.

·Fundamental rights

The cooperation instruments under the Protocol are likely to affect fundamental rights where a person’s data may be obtained in the context of a criminal proceeding, including e.g. the right to a fair trial, the right to privacy and the right to the protection of personal data. The Protocol follows a rights-based approach and provides for conditions and safeguards in line with international human rights instruments including the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms. In particular, the Protocol provides for specific data protection safeguards. Where necessary, the Protocol also provides a basis for Parties to make certain reservations, declarations or notifications, and includes grounds to refuse cooperation in response to a request in specific situations. This ensures compatibility of the Protocol with the EU Charter of Fundamental Rights.

5.BUDGETARY IMPLICATIONS

There are no budgetary implications for the Union budget. Member States may have one-off costs for the implementation of the Protocol and there could be higher costs for authorities of the Member States due to the expected rise in the number of cases.

6.OTHER ELEMENTS

·Implementation plans and monitoring, evaluation and reporting arrangements

There is no implementation plan as, following its signature and ratification, Member States will be required to implement the Protocol.

With regard to monitoring, the Commission will take part in the meetings of the Cybercrime Convention Committee, where the European Union is recognised as an Observer Organisation.

2021/0383 (NLE)

Proposal for a

COUNCIL DECISION

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16, 82(1) and 218(6) thereof,

Having regard to the proposal from the European Commission,

Having regard to the consent of the European Parliament,

Whereas:

(1)On 9 June 2019, the Council authorised the Commission to participate, on behalf of the Union, in the negotiations for the Second Additional Protocol to the Council of Europe Budapest Convention on Cybercrime.

(2)The text of the Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence (‘the Protocol') was adopted by the Council of Europe Committee of Ministers on 17 November 2021 and is envisaged to be opened for signature in March 2022.

(3)The provisions of the Protocol fall within an area covered to a large extent by common rules within the meaning of Article 3(2) TFEU, including instruments facilitating judicial cooperation in criminal matters, ensuring minimum standards of procedural rights, as well as data protection and privacy safeguards.

(4)The Commission also submitted legislative proposals for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters (COM(2018)225 final), and for a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings introducing (COM(2018)226 final), binding cross-border European Production and Preservation Orders to be addressed directly to a representative of a service provider in another Member State.

(5)With its participation in the negotiations, on behalf of the Union, the Commission ensured compatibility of the Second Additional Protocol with relevant common European Union rules.

(6)A number of reservations, declarations, notifications and communications are relevant to ensure compatibility of the Protocol with Union law and policies, as well as the uniform application of the Protocol amongst EU Member States in their relation with non-EU Parties, and the effective application of the Protocol.

(7)Given that the Protocol provides for swift procedures that improve cross-border access to electronic evidence and a high level of safeguards, entry into force will contribute to the fight against cybercrime and other forms of crime at global level by facilitating cooperation between the EU Member State Parties and the non-EU Member State Parties to the Protocol, will ensure a high level of protection of individuals, and will address conflicts of law.

(8)Given that the Protocol provides for appropriate safeguards in line with the requirements for international transfers of personal data under Regulation (EU) 2016/679 and Directive (EU) 2016/680, its entry into force will contribute to the promotion of Union data protection standards at global level, facilitate data flows between the EU Member State Parties and the non-EU Member State Parties to the Protocol, and will ensure compliance of EU Member States with their obligations under Union data protection rules.

(9)The swift entry into force will furthermore also confirm the position of the Council of Europe Budapest Convention as the main multilateral framework for the fight against cybercrime.

(10)The European Union cannot become a Party to the Protocol, as both the Protocol and the Council of Europe Convention on Cybercrime are open to states only.

(11)Member States should therefore be authorised to ratify the Protocol, acting jointly in the interests of the European Union.

(12)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on …

(13)[In accordance with Articles 1 and 2 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, and without prejudice to Article 4 of that Protocol, Ireland is not taking part in the adoption of this Decision and is not bound by it or subject to its application.]

[OR]

[In accordance with Articles 1 and 2 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, and without prejudice to Article 4 of that Protocol, Ireland has notified [, by its letter of ... ,] its wish to take part in the adoption and application of this Decision.]

(14)In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Decision and is not bound by it or subject to its application,

HAS ADOPTED THIS DECISION:

Article 1

Member States are hereby authorised to ratify, in the interest of the European Union, the Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence (‘Protocol’).

Article 2

When ratifying the Protocol, Member States shall make the reservations, declarations, notifications or communications that are set out in the Annex.

Article 3

This Decision shall enter into force on the day of its adoption.

Article 4

This Decision shall be published in the Official Journal of the European Union.

Article 5

This Decision is addressed to Member States.

Done at Brussels,

For the Council

The President

(1) The text of the Protocol is included as an annex to this proposal.

(2) European Union Serious and Organised Crime Threat Assessment 2021 (EU SOCTA 2021).

(3) SWD(2018) 118 final.

(4) COM(2018)225 and 226 final.

(5) All except Ireland, which has signed but not ratified the Convention, but nevertheless committed to pursuing accession.

(6) Rules of Procedure of the Cybercrime Convention Committee (T-CY (2013)25 rev), available at www.coe.int/cybercrime.

(7) December 2019 United Nations General Assembly (UNGA) Resolution 74/247 on ‘Countering the use of information and communications technologies for criminal purposes’.

(8) JOIN(2020) 81 final.

(9) See for instance the Global Action on Cybercrime Extended (GLACY)+, via https://www.coe.int/en/web/cybercrime/glacyplus.

(10) Final report of the Cybercrime Convention Committee Cloud Evidence Group ‘Criminal justice access to electronic evidence in the cloud: Recommendations for consideration by the T-CY’ of 16 September 2016.

(11) https://rm.coe.int/t-cy-terms-of-reference-protocol/1680a03690

(12) https://www.consilium.europa.eu/en/press/press-releases/2018/10/18/20181018-european-council-conslusions/

(13) COM(2019) 71 final.

(14) EDPS Opinion regarding the participation in the negotiations in view of a Second Additional Protocol to the Budapest Cybercrime Convention of 2 April 2019, Opinion 3/2019.

(15) Council Decision with reference 9116/19.

(16) COM(2020) 605 final.

(17) JOIN(2020) 81 final.

(18) COM(2021) 170 final.

(19) European Parliament resolution of 10 June 2021 on the EU’s Cybersecurity Strategy for the Digital Decade.

(20) Reference L 304/47.

(21) https://rm.coe.int/0900001680a2aa42

(22) See paragraph 2 of the explanatory report to the Protocol.

(23) Directive 2010/64/EU of the European Parliament and of the Council of 20 October 2010 on the right to interpretation and translation in criminal proceedings, OJ L 280, 26.10.2010, p. 1; Directive 2012/13/EU of the European Parliament and of the Council of 22 May 2012 on the right to information in criminal proceedings, OJ L 142, 1.6.2012, p. 1; Directive 2013/48/EU of the European Parliament and of the Council of 22 October 2013 on the right of access to a lawyer in criminal proceedings and in European arrest warrant proceedings, and on the right to have a third party informed upon deprivation of liberty and to communicate with third persons and with consular authorities while deprived of liberty, OJ L 294, 6.11.2013, p. 1; Directive (EU) 2016/1919 of the European Parliament and of the Council of 26 October 2016 on legal aid for suspects and accused persons in criminal proceedings and for requested persons in European arrest warrant proceedings, OJ L 297, 4.11.2016, p. 1; Directive (EU) 2016/800 of the European Parliament and of the Council of 11 May 2016 on procedural safeguards for children who are suspects or accused persons in criminal proceedings, OJ L 132, 21.5.2016, p. 1; Directive (EU) 2016/343 of the European Parliament and of the Council of 9 March 2016 on the strengthening of certain aspects of the presumption of innocence and of the right to be present at the trial in criminal proceedings, OJ L 65, 11.3.2016, p. 1; Directive 2012/13/EU of the European Parliament and of the Council of 22 May 2012 on the right to information in criminal proceedings.

(24) See Court of Justice (Grand Chamber), Opinion 1/15, ECLI:EU:C:2017:592, paragraph 220. See also EDPB contribution to the consultation on a draft second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), 13 November 2019, p. 6 (“The competent national authorities to whom access to the data has been granted must notify the persons affected, under the applicable national procedures, as soon as that notification is no longer liable to jeopardize the investigations being undertaken by those authorities. … Notification is necessary to enable the persons affected to exercise, inter alia, their right to a legal remedy and their data protection rights in relation to the processing of their data”).

(25) This is why the Council Decision of 21 May 2019 authorising the opening of negotiations in view of an agreement between the European Union and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters (9114/19) in its negotiating directives contains a number of additional data protection safeguards. In particular, the negotiating directives stipulate that “[t]he agreement should complement the Umbrella Agreement with additional safeguards that take into account the level of sensitivity of the categories of data concerned and the unique requirements of the transfer of electronic evidence directly by service providers rather than between authorities and transfers from competent authorities directly to service providers.”

(26) See also Explanatory Report to the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 10 October 2018, points 106-107.

(27) COM(2018) 225 and 226 final.

(28) EDPS Opinion regarding the participation in the negotiations in view of a Second Additional Protocol to the Budapest Cybercrime Convention of 2 April 2019, Opinion 3/2019.

(29) Including ‘EDPB contribution to the consultation on a draft second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention) of 13 November 2019’; ‘Statement 02/201 on new draft provisions of the second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention) as adopted on 2 February 2021’; ‘EDPB Contribution to the 6th round of consultations on the draft Second Additional Protocol to the Council of Europe Budapest Convention on Cybercrime of 4 May 2021’.

(30) Allowing Parties to reserve the right not to apply Article 7 (disclosure of subscriber data).

(31) Allowing Parties to reserve the right not to apply Article 7 (disclosure of subscriber data) to certain types of access numbers if that would be inconsistent with the fundamental principles of its domestic legal system.

(32) Allowing Parties to declare that the order under Article 7, paragraph 1 (disclosure of subscriber data), must be issued by, or under the supervision of, a prosecutor, or other judicial authority, or otherwise be issued under independent supervision.

(33) Allowing Parties to notify the Secretary General of the Council of Europe that when an order is issued under Article 7, paragraph 1 (disclosure of subscriber data), to a service provider in its territory, the Party requires, in every case or in identified circumstances, simultaneous notification of the order, the supplemental information and a summary of the facts related to the investigation or proceeding.

(34) Allowing Parties to reserve the right not to apply Article 8 (giving effect to orders from another Party) to traffic data.

(35) See paragraph 147 of the explanatory report to the Protocol that determines that ‘[a] Party that reserves to this article is not permitted to submit orders for traffic data to other Parties under [Article 8,] paragraph 1’.

(36) Allowing Parties to declare that additional supporting information is required to give effect to orders under Article 8, paragraph 1 (giving effect to orders from another Party).

(37) Allowing Parties to declare that they will not execute requests under Article 9, paragraph 1, point a, (expedited disclosure of computer data in an emergency) seeking only the disclosure of subscriber data.

(38) Allowing Parties to communicate the contact details of the authority that it designates to receive notifications under Article 7, paragraph 5, point a, and perform the actions described in Article 7, paragraph 5, points b, c and d (disclosure of subscriber data).

(39) Allowing Parties to communicate contact information of the authorities designated to submit and to receive orders under Article 8 (giving effect to orders from another Party). In line with requirements under Regulation (EU) 2017/1939, the Member States that participate in the enhanced cooperation on the establishment of the European Public Prosecutor’s Office (EPPO) shall include the EPPO in the communication.

(40) Allowing Parties to communicate the authority or authorities that should, respectively, be notified in case of a security incident, or be contacted to seek prior authorisation in case of onward transfers to another State or international organisation.

(41) See above footnote 24.

(42) https://www.coe.int/en/web/cybercrime/protocol-consultations

(43) SWD(2018) 118 final.

(44) See for instance the Cybercrime Convention Committee Guidance Note 10 of 1 March 2017 on production orders for subscriber information (Article 18 Budapest Convention).

(45) See for instance the Resolution of the Board of the Internet Cooperation for Assigned Names and Numbers (ICANN) of 15 May 2019 on the Recommendations on the Temporary Specification for gTLD registration data, available at www.icann.org.

Top

EUROPEAN COMMISSION

Brussels, 25.11.2021

COM(2021) 719 final

ANNEX

to the

Proposal for a Council Decision

ANNEX

Member States shall, when ratifying the Protocol, in the interest of the Union, make the following reservations, declarations, notifications or communications, and other considerations.

1.Reservations

The Second Additional Protocol on enhanced co-operation and disclosure of electronic evidence to the Council of Europe ‘Budapest’ Convention on Cybercrime (‘the Protocol') allows a Party, in accordance with Article 19, paragraph 1, to declare that it avails itself of a reservation provided in relation to a number of articles of the Protocol.

Member States shall refrain from reserving the right not to apply Article 7 (disclosure of subscriber data) pursuant to Article 7, paragraphs 9, point a.

Member States shall refrain from reserving the right not to apply Article 7 (disclosure of subscriber data) in relation to certain types of access numbers pursuant to Article 7, paragraphs 9, point b.

Member States are encouraged to refrain from reserving the right not to apply Article 8 (giving effect to orders from another Party) in relation to traffic data pursuant to Article 8, paragraph 13.

Where Article 19, paragraph 1, provides a basis for other reservations, Member States are authorised to consider and make their own reservations.

2.Declarations

The Protocol also allows a Party, in accordance with Article 19, paragraph 2, to make a declaration in relation to a number of articles of the Protocol.

Member States shall make the declaration pursuant to Article 7, paragraph 2, point b, indicating that orders issued to service providers in their territory must be issued by, or under the supervision of, a prosecutor or other judicial authority, or otherwise be issued under independent supervision. Accordingly, Member States shall make the following declaration when depositing the instrument of ratification, acceptance or approval:

‘The order under Article 7, paragraph 1, must be issued by, or under the supervision of, a prosecutor or other judicial authority, or otherwise be issued under independent supervision.’

Member States are encouraged to refrain from declaring, under Article 9, paragraph 1, point b, that they will not execute requests under Article 9, paragraph 1, point a, (expedited disclosure of computer data in an emergency) seeking only the disclosure of subscriber data.

Where Article 19, paragraph 2, provides a basis for other declarations, Member States are authorised to consider and make their own declarations.

3.Declarations, notifications or communications

The Protocol also requires a Party, in accordance with Article 19, paragraph 3, to make declarations, notifications or communications in relation to a number of articles of the Protocol.

Member States shall notify that when an order is issued under Article 7, paragraph 1, to a service provider in its territory, it requires simultaneous notification of the order, supplemental information and a summary of the facts related to the investigation or proceeding, pursuant to Article 7, paragraph 5, point a. Accordingly, Member States shall, at the time of signature or when depositing their instrument of ratification, acceptance or approval, make the following notification to the Secretary General of the Council of Europe:

‘When an order is issued under Article 7, paragraph 1, to a service provider in the territory of [Member State], we require in every case simultaneous notification of the order, the supplemental information and a summary of facts related to the investigation or proceeding’.

Pursuant to Article 7, paragraph 5, point e, Member States shall designate a single authority to receive notification under Article 7, paragraph 5, point a, and perform the actions described in paragraphs 5, point b, point c and point d, and communicate the contact information of that authority.

Member States shall declare, under Article 8, paragraph 4, that additional supporting information is required to give effect to orders under Article 8, paragraph 1. Accordingly, Member States shall, at the time of signature or when depositing their instrument of ratification, acceptance or approval, make the following declaration:

‘Additional supporting information is required to give effect to orders under Article 8, paragraph 1. The additional supporting information required will depend on the circumstances of the order and the related investigation or proceeding’.

Member States shall communicate and keep up to date the contact information of those authorities designated under Article 8, paragraph 10, point a, to submit an order under Article 8, and of those authorities designated, under Article 8, paragraph 10, point b, to receive an order under Article 8. The Member States that participate in the enhanced cooperation established by Regulation (EU) 2017/1939 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) shall include the EPPO, in the exercise of its competences as provided for by Articles 22, 23 and 25 of Regulation (EU) 2017/1939, among the authorities communicated under Article 8, paragraph 10, point a and point b.

Member States shall communicate the authority or authorities to be notified under Article 14, paragraph 7, point c, in relation to a security incident.

Member States shall communicate the authority or authorities to provide authorisation for the purpose of Article 14, paragraph 10, point b, in relation to the onward transfer to another State or international organisation of data received under the Protocol.

Where Article 19, paragraph 3, provides a basis for other declarations, notifications or communications, Member States are authorised to consider and make their own declarations, notifications or communications.

4.Other considerations

Member States that participate in the enhanced cooperation established by Regulation (EU) 2017/1939 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) shall ensure that the EPPO can, in the exercise of its competences as provided for by Articles 22, 23 and 25 of Regulation (EU) 2017/1939, seek cooperation under the Protocol in the same way as national prosecutors of those Member States.

Member States shall ensure that, when transferring data for the purposes of the Protocol, the receiving Party is informed that their domestic legal framework requires giving personal notice to the individual whose data is provided, pursuant to Article 14, paragraph 11, point c, of the Protocol.

With regard to international transfers on the basis of the EU-U.S. Umbrella Agreement, Member States shall communicate to the competent authorities of the United States, for the purposes of Article 14, paragraph 1, point b, of the Protocol, that the Agreement applies to the reciprocal transfers of personal data under the Protocol between competent authorities. However, Member States shall take into account that the Agreement should be complemented with additional safeguards that take into account the unique requirements of the transfer of electronic evidence directly by service providers rather than between authorities as provided under the Protocol. Accordingly, Member States shall, at the time of signature or when depositing their instrument of ratification, acceptance or approval, make the following communication to the competent authorities of the United States:

‘For the purposes of Article 14, paragraph 1, point b, of the Second Additional Protocol to the Council of Europe Convention on Cybercrime, we consider that the EU-U.S. Umbrella Agreement applies to the reciprocal transfers of personal data under the Protocol between competent authorities. For transfers between service providers in our territory and authorities in the United States under the Protocol, the Agreement applies only in combination with a further, specific transfer arrangement that addresses the unique requirements of the transfer of electronic evidence directly by service providers rather than between authorities’.

Member States shall ensure that, for the purpose of Article 14, paragraph 1, point c, of the Protocol, they only rely on other agreements or arrangements if either the European Commission has adopted an adequacy decision pursuant to Article 45 of the General Data Protection Regulation (EU) 2016/679 or Article 36 of the Law Enforcement Directive (EU) 2016/680 for the third country concerned that covers the respective data transfers, or if such other agreement or arrangement ensures appropriate data protection safeguards pursuant to Article 46 of the General Data Protection Regulation or Article 37, paragraph 1, point a, of the Law Enforcement Directive.

Top

EUROPEAN COMMISSION

Brussels, 25.11.2021

COM(2021) 719 final

ANNEX

to the

Proposal for a Council Decision

ANNEX

Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence

Preamble

The member States of the Council of Europe and the other States Parties to the Convention on Cybercrime (ETS No. 185, hereinafter "the Convention"), opened for signature in Budapest on 23 November 2001, signatories hereto,

Bearing in mind the reach and impact of the Convention in all regions of the world;

Recalling that the Convention is already supplemented by the Additional Protocol concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (ETS No. 189), opened for signature in Strasbourg on 28 January 2003 (hereinafter "the First Protocol"), as between Parties to that Protocol;

Taking into account existing Council of Europe treaties on co-operation in criminal matters as well as other agreements and arrangements on co-operation in criminal matters between Parties to the Convention;

Having regard also for the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) as amended by its amending Protocol (CETS No. 223), opened for signature in Strasbourg on 10 October 2018, and to which any State may be invited to accede;

Recognising the growing use of information and communication technology, including internet services, and increasing cybercrime, which is a threat to democracy and the rule of law and which many States also consider a threat to human rights;

Also recognising the growing number of victims of cybercrime and the importance of obtaining justice for those victims;

Recalling that governments have the responsibility to protect society and individuals against crime not only offline but also online, including through effective criminal investigations and prosecutions;

Aware that evidence of any criminal offence is increasingly stored in electronic form on computer systems in foreign, multiple or unknown jurisdictions, and convinced that additional measures are needed to lawfully obtain such evidence in order to enable an effective criminal justice response and to uphold the rule of law;

Recognising the need for increased and more efficient co-operation between States and the private sector, and that in this context greater clarity or legal certainty is needed for service providers and other entities regarding the circumstances in which they may respond to direct requests from criminal justice authorities in other Parties for the disclosure of electronic data;

Aiming, therefore, to further enhance co-operation on cybercrime and the collection of evidence in electronic form of any criminal offence for the purpose of specific criminal investigations or proceedings through additional tools pertaining to more efficient mutual assistance and other forms of co-operation between competent authorities; co-operation in emergencies; and direct co-operation between competent authorities and service providers and other entities in possession or control of pertinent information;

Convinced that effective cross-border co-operation for criminal justice purposes, including between public and private sectors, benefits from effective conditions and safeguards for the protection of human rights and fundamental freedoms;

Recognising that the collection of electronic evidence for criminal investigations often concerns personal data, and recognising the requirement in many Parties to protect privacy and personal data in order to meet their constitutional and international obligations; and

Mindful of the need to ensure that effective criminal justice measures on cybercrime and the collection of evidence in electronic form are subject to conditions and safeguards, which shall provide for the adequate protection of human rights and fundamental freedoms, including rights arising pursuant to obligations that States have undertaken under applicable international human rights instruments, such as the 1950 Convention for the Protection of Human Rights and Fundamental Freedoms (ETS No. 5) of the Council of Europe, the 1966 United Nations International Covenant on Civil and Political Rights, the 1981 African Charter on Human and People's Rights, the 1969 American Convention on Human Rights and other international human rights treaties;

Have agreed as follows:

Chapter I - Common provisions

Article 1 - Purpose

The purpose of this Protocol is to supplement:

a. the Convention as between the Parties to this Protocol; and

b. the First Protocol as between the Parties to this Protocol that are also Parties to the First Protocol.

Article 2 - Scope of application

1. Except as otherwise specified herein, the measures described in this Protocol shall be applied:

a. as between Parties to the Convention that are Parties to this Protocol, to specific criminal investigations or proceedings concerning criminal offences related to computer systems and data, and to the collection of evidence in electronic form of a criminal offence; and

b. as between Parties to the First Protocol that are Parties to this Protocol, to specific criminal investigations or proceedings concerning criminal offences established pursuant to the First Protocol.

2. Each Party shall adopt such legislative and other measures as may be necessary to carry out the obligations set forth in this Protocol.

Article 3 - Definitions

1. The definitions provided in Articles 1 and 18, paragraph 3, of the Convention apply to this Protocol.

2. For the purposes of this Protocol, the following additional definitions apply:

a. "central authority" means the authority or authorities designated under a mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the Parties concerned, or, in the absence thereof, the authority or authorities designated by a Party under Article 27, paragraph 2.a, of the Convention;

b. "competent authority" means a judicial, administrative or other law-enforcement authority that is empowered by domestic law to order, authorise or undertake the execution of measures under this Protocol for the purpose of collection or production of evidence with respect to specific criminal investigations or proceedings;

c. an "emergency" means a situation in which there is a significant and imminent risk to the life or safety of any natural person;

d. "personal data" means information relating to an identified or identifiable natural person;

e. "transferring Party" means the Party transmitting the data in response to a request or as part of a joint investigation team or, for the purposes of Chapter II, section 2, a Party in whose territory a transmitting service provider or entity providing domain name registration services is located.

Article 4 - Language

1. Requests, orders and accompanying information submitted to a Party shall be in a language acceptable to the requested Party or the Party notified under Article 7, paragraph 5, or be accompanied by a translation into such a language.

2. Orders under Article 7 and requests under Article 6, and any accompanying information shall be:

a. submitted in a language of the other Party in which the service provider or entity accepts comparable domestic process;

b. submitted in another language acceptable to the service provider or entity; or

c. accompanied by a translation into one of the languages under paragraphs 2.a or 2.b.

Chapter II - Measures for enhanced co-operation

Section 1 - General principles applicable to Chapter II

Article 5 - General principles applicable to Chapter II

1. The Parties shall co-operate in accordance with the provisions of this Chapter to the widest extent possible.

2. Section 2 of this chapter consists of Articles 6 and 7. It provides for procedures enhancing direct co-operation with providers and entities in the territory of another Party. Section 2 applies whether or not there is a mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the Parties concerned.

3. Section 3 of this chapter consists of Articles 8 and 9. It provides for procedures to enhance international co-operation between authorities for the disclosure of stored computer data. Section 3 applies whether or not there is a mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the requesting and requested Parties.

4. Section 4 of this chapter consists of Article 10. It provides for procedures pertaining to emergency mutual assistance. Section 4 applies whether or not there is a mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the requesting and requested Parties.

5. Section 5 of this chapter consists of Articles 11 and 12. Section 5 applies where there is no mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the requesting and requested Parties. The provisions of section 5 shall not apply where such treaty or arrangement exists, except as provided in Article 12, paragraph 7. However, the Parties concerned may mutually determine to apply the provisions of section 5 in lieu thereof, if the treaty or arrangement does not prohibit it.

6. Where, in accordance with the provisions of this Protocol, the requested Party is permitted to make co-operation conditional upon the existence of dual criminality, that condition shall be deemed fulfilled, irrespective of whether its laws place the offence within the same category of offence or denominate the offence by the same terminology as the requesting Party, if the conduct underlying the offence for which assistance is sought is a criminal offence under its laws.

7. The provisions in this chapter do not restrict co-operation between Parties, or between Parties and service providers or other entities, through other applicable agreements, arrangements, practices, or domestic law.

Section 2 - Procedures enhancing direct co-operation with providers and entities in other Parties

Article 6 - Request for domain name registration information

1. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities, for the purposes of specific criminal investigations or proceedings, to issue a request to an entity providing domain name registration services in the territory of another Party for information in the entity's possession or control, for identifying or contacting the registrant of a domain name.

2. Each Party shall adopt such legislative and other measures as may be necessary to permit an entity in its territory to disclose such information in response to a request under paragraph 1, subject to reasonable conditions provided by domestic law.

3. The request under paragraph 1 shall include:

a. the date on which the request was issued and the identity and contact details of the competent authority issuing the request;

b. the domain name about which information is sought and a detailed list of the information sought, including the particular data elements;

c. a statement that the request is issued pursuant to this Protocol, that the need for the information arises because of its relevance to a specific criminal investigation or proceeding and that the information will only be used for that specific criminal investigation or proceeding; and

d. the time frame within which and the manner in which to disclose the information and any other special procedural instructions.

4. If acceptable to the entity, a Party may submit a request under paragraph 1 in electronic form. Appropriate levels of security and authentication may be required.

5. In the event of non-co-operation by an entity described in paragraph 1, a requesting Party may request that the entity give a reason why it is not disclosing the information sought. The requesting Party may seek consultation with the Party in which the entity is located, with a view to determining available measures to obtain the information.

6. Each Party shall, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, or at any other time, communicate to the Secretary General of the Council of Europe the authority designated for the purpose of consultation under paragraph 5.

7. The Secretary General of the Council of Europe shall set up and keep updated a register of authorities designated by the Parties under paragraph 6. Each Party shall ensure that the details that it has provided for the register are correct at all times.

Article 7 - Disclosure of subscriber information

1. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to issue an order to be submitted directly to a service provider in the territory of another Party, in order to obtain the disclosure of specified, stored subscriber information in that service provider's possession or control, where the subscriber information is needed for the issuing Party's specific criminal investigations or proceedings.

2. a. Each Party shall adopt such legislative and other measures as may be necessary for a service provider in its territory to disclose subscriber information in response to an order under paragraph 1.

b. At the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, a Party may - with respect to orders issued to service providers in its territory - make the following declaration: "The order under Article 7, paragraph 1, must be issued by, or under the supervision of, a prosecutor or other judicial authority, or otherwise be issued under independent supervision".

3. The order under paragraph 1 shall specify:

a. the issuing authority and date issued;

b. a statement that the order is issued pursuant to this Protocol;

c. the name and address of the service provider(s) to be served;

d. the offence(s) that is/are the subject of the criminal investigation or proceeding;

e. the authority seeking the specific subscriber information, if not the issuing authority; and

f. a detailed description of the specific subscriber information sought.

4. The order under paragraph 1 shall be accompanied by the following supplemental information:

a. the domestic legal grounds that empower the authority to issue the order;

b. a reference to legal provisions and applicable penalties for the offence being investigated or prosecuted;

c. the contact information of the authority to which the service provider shall return the subscriber information, from which it can request further information, or to which it shall otherwise respond;

d. the time frame within which and the manner in which to return the subscriber information;

e. whether preservation of the data has already been sought, including the date of preservation and any applicable reference number;

f. any special procedural instructions;

g. if applicable, a statement that simultaneous notification has been made pursuant to paragraph 5; and

h. any other information that may assist in obtaining disclosure of the subscriber information.

5. a. A Party may, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, and at any other time, notify the Secretary General of the Council of Europe that, when an order is issued under paragraph 1 to a service provider in its territory, the Party requires, in every case or in identified circumstances, simultaneous notification of the order, the supplemental information and a summary of the facts related to the investigation or proceeding.

b. Whether or not a Party requires notification under paragraph 5.a, it may require the service provider to consult the Party's authorities in identified circumstances prior to disclosure.

c. The authorities notified under paragraph 5.a or consulted under paragraph 5.b may, without undue delay, instruct the service provider not to disclose the subscriber information if:

i. disclosure may prejudice criminal investigations or proceedings in that Party; or

ii. conditions or grounds for refusal would apply under Article 25, paragraph 4, and Article 27, paragraph 4, of the Convention had the subscriber information been sought through mutual assistance.

d. The authorities notified under paragraph 5.a or consulted under paragraph 5.b:

i. may request additional information from the authority referred to in paragraph 4.c for the purposes of applying paragraph 5.c and shall not disclose it to the service provider without that authority's consent; and

ii. shall promptly inform the authority referred to in paragraph 4.c if the service provider has been instructed not to disclose the subscriber information and give the reasons for doing so.

e. A Party shall designate a single authority to receive notification under paragraph 5.a and perform the actions described in paragraphs 5.b, 5.c and 5.d. The Party shall, at the time when notification to the Secretary General of the Council of Europe under paragraph 5.a is first given, communicate to the Secretary General the contact information of that authority.

f. The Secretary General of the Council of Europe shall set up and keep updated a register of the authorities designated by the Parties pursuant to paragraph 5.e and whether and under what circumstances they require notification pursuant to paragraph 5.a. Each Party shall ensure that the details that it provides for the register are correct at all times.

6. If acceptable to the service provider, a Party may submit an order under paragraph 1 and supplemental information under paragraph 4 in electronic form. A Party may provide notification and additional information under paragraph 5 in electronic form. Appropriate levels of security and authentication may be required.

7. If a service provider informs the authority in paragraph 4.c that it will not disclose the subscriber information sought, or if it does not disclose subscriber information in response to the order under paragraph 1 within thirty days of receipt of the order or the timeframe stipulated in paragraph 4.d, whichever time period is longer, the competent authorities of the issuing Party may then seek to enforce the order only via Article 8 or other forms of mutual assistance. Parties may request that a service provider give a reason for refusing to disclose the subscriber information sought by the order.

8. A Party may, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, declare that an issuing Party shall seek disclosure of subscriber information from the service provider before seeking it under Article 8, unless the issuing Party provides a reasonable explanation for not having done so.

9. At the time of signature of this Protocol or when depositing its instrument of ratification, acceptance, or approval, a Party may:

a. reserve the right not to apply this article; or

b. if disclosure of certain types of access numbers under this article would be inconsistent with the fundamental principles of its domestic legal system, reserve the right not to apply this article to such numbers.

Section 3 - Procedures enhancing international co-operation between authorities for the disclosure of stored computer data

Article 8 - Giving effect to orders from another Party for expedited production of subscriber information and traffic data

1. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to issue an order to be submitted as part of a request to another Party for the purpose of compelling a service provider in the requested Party's territory to produce specified and stored

a. subscriber information, and

b. traffic data

in that service provider's possession or control which is needed for the Party's specific criminal investigations or proceedings.

2. Each Party shall adopt such legislative and other measures as may be necessary to give effect to an order under paragraph 1 submitted by a requesting Party.

3. In its request, the requesting Party shall submit the order under paragraph 1, the supporting information and any special procedural instructions to the requested Party.

a. The order shall specify:

i. the issuing authority and the date the order was issued;

ii. a statement that the order is submitted pursuant to this Protocol;

iii. the name and address of the service provider(s) to be served;

iv. the offence(s) that is/are the subject of the criminal investigation or proceeding;

v. the authority seeking the information or data, if not the issuing authority; and

vi. a detailed description of the specific information or data sought.

b. The supporting information, provided for the purpose of assisting the requested Party to give effect to the order and which shall not be disclosed to the service provider without the consent of the requesting Party, shall specify:

i. the domestic legal grounds that empower the authority to issue the order;

ii. the legal provisions and applicable penalties for the offence(s) being investigated or prosecuted;

iii. the reason why the requesting Party believes that the service provider is in possession or control of the data;

iv. a summary of the facts related to the investigation or proceeding;

v. the relevance of the information or data to the investigation or proceeding;

vi. contact information of an authority or authorities that may provide further information;

vii. whether preservation of the information or data has already been sought, including the date of preservation and any applicable reference number; and

viii. whether the information has or data have already been sought by other means, and, if so, in what manner.

c. The requesting Party may request that the requested Party carry out special procedural instructions.

4. A Party may declare at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, and at any other time, that additional supporting information is required to give effect to orders under paragraph 1.

5. The requested Party shall accept requests in electronic form. It may require appropriate levels of security and authentication before accepting the request.

6. a. The requested Party, from the date of receipt of all the information specified in paragraphs 3 and 4, shall make reasonable efforts to serve the service provider within forty-five days, if not sooner, and shall order a return of requested information or data no later than:

i. twenty days for subscriber information; and

ii. forty-five days for traffic data.

b. The requested Party shall provide for the transmission of the produced information or data to the requesting Party without undue delay.

7. If the requested Party cannot comply with the instructions under paragraph 3.c in the manner requested, it shall promptly inform the requesting Party, and, if applicable, specify any conditions under which it could comply, following which the requesting Party shall determine whether the request should nevertheless be executed.

8. The requested Party may refuse to execute a request on the grounds established in Article 25, paragraph 4, or Article 27, paragraph 4, of the Convention or may impose conditions it considers necessary to permit execution of the request. The requested Party may postpone execution of requests for reasons established under Article 27, paragraph 5, of the Convention. The requested Party shall notify the requesting Party as soon as practicable of the refusal, conditions, or postponement. The requested Party shall also notify the requesting Party of other circumstances that are likely to delay execution of the request significantly. Article 28, paragraph 2.b, of the Convention shall apply to this article.

9. a. If the requesting Party cannot comply with a condition imposed by the requested Party under paragraph 8, it shall promptly inform the requested Party. The requested Party shall then determine if the information or material should nevertheless be provided.

b. If the requesting Party accepts the condition, it shall be bound by it. The requested Party that supplies information or material subject to such a condition may require the requesting Party to explain in relation to that condition the use made of such information or material.

10. Each Party shall, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, communicate to the Secretary General of the Council of Europe and keep up to date the contact information of the authorities designated:

a. to submit an order under this article; and

b. to receive an order under this article.

11. A Party may, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, declare that it requires that requests by other Parties under this article be submitted to it by the central authority of the requesting Party, or by such other authority as mutually determined between the Parties concerned.

12. The Secretary General of the Council of Europe shall set up and keep updated a register of authorities designated by the Parties under paragraph 10. Each Party shall ensure that the details that it has provided for the register are correct at all times.

13. At the time of signature of this Protocol or when depositing its instrument of ratification, acceptance, or approval, a Party may reserve the right not to apply this article to traffic data.

Article 9 - Expedited disclosure of stored computer data in an emergency

1. a. Each Party shall adopt such legislative and other measures as may be necessary, in an emergency, for its point of contact for the 24/7 Network referenced in Article 35 of the Convention ("point of contact") to transmit a request to and receive a request from a point of contact in another Party seeking immediate assistance in obtaining from a service provider in the territory of that Party the expedited disclosure of specified, stored computer data in that service provider's possession or control, without a request for mutual assistance.

b. A Party may, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, declare that it will not execute requests under paragraph l.a seeking only the disclosure of subscriber information.

2. Each Party shall adopt such legislative and other measures as may be necessary to enable, pursuant to paragraph 1:

a. its authorities to seek data from a service provider in its territory following a request under paragraph 1;

b. a service provider in its territory to disclose the requested data to its authorities in response to a request under paragraph 2.a; and

c. its authorities to provide the requested data to the requesting Party.

3. The request under paragraph 1 shall specify:

a. the competent authority seeking the data and date on which the request was issued;

b. a statement that the request is issued pursuant to this Protocol;

c. the name and address of the service provider(s) in possession or control of the data sought;

d. the offence(s) that is/are the subject of the criminal investigation or proceeding and a reference to its legal provisions and applicable penalties;

e. sufficient facts to demonstrate that there is an emergency and how the data sought relates to it;

f. a detailed description of the data sought;

g. any special procedural instructions; and

h. any other information that may assist in obtaining disclosure of the requested data.

4. The requested Party shall accept a request in electronic form. A Party may also accept a request transmitted orally and may require confirmation in electronic form. It may require appropriate levels of security and authentication before accepting the request.

5. A Party may, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, declare that it requires requesting Parties, following the execution of the request, to submit the request and any supplemental information transmitted in support thereof, in a format and through such channel, which may include mutual assistance, as specified by the requested Party.

6. The requested Party shall inform the requesting Party of its determination on the request under paragraph 1 on a rapidly expedited basis and, if applicable, shall specify any conditions under which it would provide the data and any other forms of co-operation that may be available.

7. a. If a requesting Party cannot comply with a condition imposed by the requested Party under paragraph 6, it shall promptly inform the requested Party. The requested Party shall then determine whether the information or material should nevertheless be provided. If the requesting Party accepts the condition, it shall be bound by it.

b. The requested Party that supplies information or material subject to such a condition may require the requesting Party to explain in relation to that condition the use made of such information or material.

Section 4 - Procedures pertaining to emergency mutual assistance

Article 10 - Emergency mutual assistance

1. Each Party may seek mutual assistance on a rapidly expedited basis where it is of the view that an emergency exists. A request under this article shall include, in addition to the other contents required, a description of the facts that demonstrate that there is an emergency and how the assistance sought relates to it.

2. A requested Party shall accept such a request in electronic form. It may require appropriate levels of security and authentication before accepting the request.

3. The requested Party may seek, on a rapidly expedited basis, supplemental information in order to evaluate the request. The requesting Party shall provide such supplemental information on a rapidly expedited basis.

4. Once satisfied that an emergency exists and the other requirements for mutual assistance have been satisfied, the requested Party shall respond to the request on a rapidly expedited basis.

5. Each Party shall ensure that a person from its central authority or other authorities responsible for responding to mutual assistance requests is available on a twenty-four hour, seven-day-a-week basis for the purpose of responding to a request under this article.

6. The central authority or other authorities responsible for mutual assistance of the requesting and requested Parties may mutually determine that the results of the execution of a request under this article, or an advance copy thereof, may be provided to the requesting Party through a channel other than that used for the request.

7. Where there is no mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the requesting and requested Parties, Article 27, paragraphs 2.b and 3 to 8, and Article 28, paragraphs 2 to 4, of the Convention shall apply to this article.

8. Where such a treaty or arrangement exists, this article shall be supplemented by the provisions of such treaty or arrangement unless the Parties concerned mutually determine to apply any or all of the provisions of the Convention referred to in paragraph 7 of this article, in lieu thereof.

9. Each Party may, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, declare that requests may also be sent directly to its judicial authorities, or through the channels of the International Criminal Police Organization (INTERPOL) or to its 24/7 point of contact established under Article 35 of the Convention. In any such cases, a copy shall be sent at the same time to the central authority of the requested Party through the central authority of the requesting Party. Where a request is sent directly to a judicial authority of the requested Party and that authority is not competent to deal with the request, it shall refer the request to the competent national authority and inform the requesting Party directly that it has done so.

Section 5 - Procedures pertaining to international co-operation in the absence of applicable international agreements

Article 11 - Video conferencing

1. A requesting Party may request, and the requested Party may permit, testimony and statements to be taken from a witness or expert by video conference. The requesting Party and the requested Party shall consult in order to facilitate resolution of any issues that may arise with regard to the execution of the request, including, as applicable: which Party shall preside; the authorities and persons that shall be present; whether one or both Parties shall administer particular oaths, warnings or give instructions to the witness or expert; the manner of questioning the witness or expert; the manner in which the rights of the witness or expert shall be duly ensured; the treatment of claims of privilege or immunity; the treatment of objections to questions or responses; and whether one or both Parties shall provide translation, interpretation and transcription services.

2. a. The central authorities of the requested and requesting Parties shall communicate directly with each other for the purposes of this article. A requested Party may accept a request in electronic form. It may require appropriate levels of security and authentication before accepting the request.

b. The requested Party shall inform the requesting Party of the reasons for not executing or for delaying the execution of the request. Article 27, paragraph 8, of the Convention applies to this article. Without prejudice to any other condition a requested Party may impose in accordance with this article, Article 28, paragraphs 2 to 4, of the Convention apply to this article.

3. A requested Party providing assistance under this article shall endeavour to obtain the presence of the person whose testimony or statement is sought. Where appropriate the requested Party may, to the extent possible under its law, take the necessary measures to compel a witness or expert to appear in the requested Party at a set time and location.

4. The procedures relating to the conduct of the video conference specified by the requesting Party shall be followed, except where incompatible with the domestic law of the requested Party. In case of incompatibility, or to the extent that the procedure has not been specified by the requesting Party, the requested Party shall apply the procedure under its domestic law unless otherwise mutually determined by the requesting and requested Parties.

5. Without prejudice to any jurisdiction under the domestic law of the requesting Party, where in the course of the video conference, the witness or expert:

a. makes an intentionally false statement when the requested Party has, in accordance with the domestic law of the requested Party, obliged such person to testify truthfully;

b. refuses to testify when the requested Party has, in accordance with the domestic law of the requested Party, obliged such person to testify; or

c. commits other misconduct that is prohibited by the domestic law of the requested Party in the course of such proceedings;

the person shall be sanctionable in the requested Party in the same manner as if such act had been committed in the course of its domestic proceedings.

6. a. Unless otherwise mutually determined between the requesting Party and the requested Party, the requested Party shall bear all costs related to the execution of a request under this article, except:

i. the fees of an expert witness;

ii. the costs of translation, interpretation and transcription; and

iii. costs of an extraordinary nature.

b. If the execution of a request would impose costs of an extraordinary nature, the requesting Party and the requested Party shall consult each other in order to determine the conditions under which the request may be executed.

7. Where mutually agreed upon by the requesting Party and the requested Party:

a. the provisions of this article may be applied for the purposes of carrying out audio conferences;

b. video conferencing technology may be used for purposes, or for hearings, other than those described in paragraph 1, including for the purposes of identifying persons or objects.

8. Where a requested Party chooses to permit the hearing of a suspect or accused person, it may require particular conditions and safeguards with respect to the taking of testimony or a statement from, or providing notifications or applying procedural measures to, such person.

Article 12 - Joint investigation teams and joint investigations

1. By mutual agreement, the competent authorities of two or more Parties may establish and operate a joint investigation team in their territories to facilitate criminal investigations or proceedings, where enhanced coordination is deemed to be of particular utility. The competent authorities shall be determined by the respective Parties concerned.

2. The procedures and conditions governing the operation of joint investigation teams, such as their specific purposes; composition; functions; duration and any extension periods; location; organisation; terms of gathering, transmitting and using information or evidence; terms of confidentiality; and terms for the involvement of the participating authorities of a Party in investigative activities taking place in another Party's territory, shall be as agreed between those competent authorities.

3. A Party may declare at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance, or approval that its central authority must be a signatory to or otherwise concur in the agreement establishing the team.

4. Those competent and participating authorities shall communicate directly, except that Parties may mutually determine other appropriate channels of communication where exceptional circumstances require more central coordination.

5. Where investigative measures need to be taken in the territory of one of the Parties concerned, participating authorities from that Party may request their own authorities to take those measures without the other Parties having to submit a request for mutual assistance. Those measures shall be carried out by that Party's authorities in its territory under the conditions that apply under domestic law in a national investigation.

6. Use of information or evidence provided by the participating authorities of one Party to participating authorities of other Parties concerned may be refused or restricted in the manner set forth in the agreement described in paragraphs 1 and 2. If that agreement does not set forth terms for refusing or restricting use, the Parties may use the information or evidence provided:

a. for the purposes for which the agreement has been entered into;

b. for detecting, investigating and prosecuting criminal offences other than those for which the agreement was entered into, subject to the prior consent of the authorities providing the information or evidence. However, consent shall not be required where fundamental legal principles of the Party using the information or evidence require that it disclose the information or evidence to protect the rights of an accused person in criminal proceedings. In that case, those authorities shall notify the authorities that provided the information or evidence without undue delay; or

c. to prevent an emergency. In that case, the participating authorities that received the information or evidence shall notify without undue delay the participating authorities that provided the information or evidence, unless mutually determined otherwise.

7. In the absence of an agreement described in paragraphs 1 and 2, joint investigations may be undertaken under mutually agreed terms on a case-by-case basis. This paragraph applies whether or not there is a mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the Parties concerned.

Chapter III - Conditions and safeguards

Article 13 - Conditions and safeguards

In accordance with Article 15 of the Convention, each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Protocol are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties.

Article 14 - Protection of personal data

1. Scope

a. Except as otherwise provided in paragraphs l.b and c, each Party shall process the personal data that it receives under this Protocol in accordance with paragraphs 2 to 15 of this article.

b. If, at the time of receipt of personal data under this Protocol, both the transferring Party and the receiving Party are mutually bound by an international agreement establishing a comprehensive framework between those Parties for the protection of personal data, which is applicable to the transfer of personal data for the purpose of the prevention, detection, investigation and prosecution of criminal offences, and which provides that the processing of personal data under that agreement complies with the requirements of the data protection legislation of the Parties concerned, the terms of such agreement shall apply, for the measures falling within the scope of such agreement, to personal data received under the Protocol in lieu of paragraphs 2 to 15, unless otherwise agreed between the Parties concerned.

c. If the transferring Party and the receiving Party are not mutually bound under an agreement described in paragraph l.b, they may mutually determine that the transfer of personal data under this Protocol may take place on the basis of other agreements or arrangements between the Parties concerned in lieu of paragraphs 2 to 15.

d. Each Party shall consider that the processing of personal data pursuant to paragraphs l.a and l.b meets the requirements of its personal data protection legal framework for international transfers of personal data, and no further authorisation for transfer shall be required under that legal framework. A Party may only refuse or prevent data transfers to another Party under this Protocol for reasons of data protection under the conditions set out in paragraph 15 when paragraph l.a applies; or under the terms of an agreement or arrangement referred to in paragraphs l.b orc, when one of those paragraphs applies.

e. Nothing in this article shall prevent a Party from applying stronger safeguards to the processing by its own authorities of personal data received under this Protocol.

2. Purpose and use

a. The Party that has received personal data shall process them for the purposes described in Article 2. It shall not further process the personal data for an incompatible purpose, and it shall not further process the data when this is not permitted under its domestic legal framework. This article shall not prejudice the ability of the transferring Party to impose additional conditions pursuant to this Protocol in a specific case, however, such conditions shall not include generic data protection conditions.

b. The receiving Party shall ensure under its domestic legal framework that personal data sought and processed are relevant to and not excessive in relation to the purposes of such processing.

3. Quality and integrity

Each Party shall take reasonable steps to ensure that personal data are maintained with such accuracy and completeness and are as up to date as is necessary and appropriate for the lawful processing of the personal data, having regard to the purposes for which they are processed.

4. Sensitive data

Processing by a Party of personal data revealing racial or ethnic origin, political opinions or religious or other beliefs, or trade union membership; genetic data; biometric data considered sensitive in view of the risks involved; or personal data concerning health or sexual life; shall only take place under appropriate safeguards to guard against the risk of unwarranted prejudicial impact from the use of such data, in particular against unlawful discrimination.

5. Retention periods

Each Party shall retain the personal data only for as long as necessary and appropriate in view of the purposes of processing the data pursuant to paragraph 2. In order to meet this obligation, it shall provide in its domestic legal framework for specific retention periods or periodic review of the need for further retention of the data.

6. Automated decisions

Decisions producing a significant adverse effect concerning the relevant interests of the individual to whom the personal data relates may not be based solely on automated processing of personal data, unless authorised under domestic law and with appropriate safeguards that include the possibility to obtain human intervention.

7. Data security and security incidents

a. Each Party shall ensure that it has in place appropriate technological, physical and organisational measures for the protection of personal data, in particular against loss or accidental or unauthorised access, disclosure, alteration or destruction ("security incident").

b. Upon discovery of a security incident in which there is a significant risk of physical or non-physical harm to individuals or to the other Party, the receiving Party shall promptly assess the likelihood and scale thereof and shall promptly take appropriate action to mitigate such harm. Such action shall include notification to the transferring authority or, for purposes of Chapter II, Section 2, the authority or authorities designated pursuant to paragraph 7.c. However, notification may include appropriate restrictions as to the further transmission of the notification; it may be delayed or omitted when such notification may endanger national security, or delayed when such notification may endanger measures to protect public safety. Such action shall also include notification to the individual concerned, unless the Party has taken appropriate measures so that there is no longer a significant risk. Notification to the individual may be delayed or omitted under the conditions set out in paragraph 12.a.i. The notified Party may request consultation and additional information concerning the incident and the response thereto.

c. Each Party shall, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, communicate to the Secretary General of the Council of Europe the authority or authorities to be notified under paragraph 7.b for the purposes of Chapter II, Section 2: the information provided may subsequently be modified.

8. Maintaining records

Each Party shall maintain records or have other appropriate means to demonstrate how an individual's personal data are accessed, used and disclosed in a specific case.

9. Onward sharing within a Party

a. When an authority of a Party provides personal data received initially under this Protocol to another authority of that Party, that other authority shall process it in accordance with this article, subject to paragraph 9.b.

b. Notwithstanding paragraph 9.a, a Party that has made a reservation under Article 17 may provide personal data it has received to its constituent States or similar territorial entities provided the Party has in place measures in order that the receiving authorities continue to effectively protect the data by providing for a level of protection of the data comparable to that afforded by this article.

c. In case of indications of improper implementation of this paragraph, the transferring Party may request consultation and relevant information about those indications.

10. Onward transfer to another State or international organisation

a. The receiving Party may transfer the personal data to another State or international organisation only with the prior authorisation of the transferring authority or, for purposes of chapter II, section 2, the authority or authorities designated pursuant to paragraph 10.b.

b. Each Party shall, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, communicate to the Secretary General of the Council of Europe the authority or authorities to provide authorisation for purposes of chapter II, section 2; the information provided may subsequently be modified.

11. Transparency and notice

a. Each Party shall provide notice through the publication of general notices, or through personal notice to the individual whose personal data has been collected, with regard to:

i. the legal basis for and the purpose(s) of processing;

ii. any retention or review periods pursuant to paragraph 5, as applicable;

iii. recipients or categories of recipients to whom such data are disclosed; and

iv. access, rectification and redress available.

b. A Party may subject any personal notice requirement to reasonable restrictions under its domestic legal framework pursuant to the conditions set forth in paragraph 12.a.i.

c. Where the transferring Party's domestic legal framework requires giving personal notice to the individual whose data have been provided to another Party, the transferring Party shall take measures so that the other Party is informed at the time of transfer regarding this requirement and appropriate contact information. The personal notice shall not be given if the other Party has requested that the provision of the data be kept confidential, where the conditions for restrictions as set out in paragraph 12.a.i apply. Once these restrictions no longer apply and the personal notice can be provided, the other Party shall take measures so that the transferring Party is informed. If it has not yet been informed, the transferring Party is entitled to make requests to the receiving Party which will inform the transferring Party whether to maintain the restriction.

12. Access and rectification

a. Each Party shall ensure that any individual, whose personal data have been received under this Protocol is entitled to seek and obtain, in accordance with processes established in its domestic legal framework and without undue delay:

i. a written or electronic copy of the documentation kept on that individual containing the individual's personal data and available information indicating the legal basis for and purposes of the processing, retention periods and recipients or categories of recipients of the data ("access"), as well as information regarding available options for redress; provided that access in a particular case may be subject to the application of proportionate restrictions permitted under its domestic legal framework, needed, at the time of adjudication, to protect the rights and freedoms of others or important objectives of general public interest and that give due regard to the legitimate interests of the individual concerned;

ii. rectification when the individual's personal data are inaccurate or have been improperly processed; rectification shall include - as appropriate and reasonable considering the grounds for rectification and the particular context of processing - correction, supplementation, erasure or anonymisation, restriction of processing, or blocking.

b. If access or rectification is denied or restricted, the Party shall provide to the individual, in written form which may be provided electronically, without undue delay, a response informing that individual of the denial or restriction. It shall provide the grounds for such denial or restriction and provide information about available options for redress. Any expense incurred in obtaining access should be limited to what is reasonable and not excessive.

13. Judicial and non-judicial remedies

Each Party shall have in place effective judicial and non-judicial remedies to provide redress for violations of this article.

14. Oversight

Each Party shall have in place one or more public authorities that exercise, alone or cumulatively, independent and effective oversight functions and powers with respect to the measures set forth in this article. The functions and powers of these authorities acting alone or cumulatively shall include investigation powers, the power to act upon complaints and the ability to take corrective action.

15. Consultation and suspension

A Party may suspend the transfer of personal data to another Party if it has substantial evidence that the other Party is in systematic or material breach of the terms of this article or that a material breach is imminent. It shall not suspend transfers without reasonable notice, and not until after the Parties concerned have engaged in a reasonable period of consultation without reaching a resolution. However, a Party may provisionally suspend transfers in the event of a systematic or material breach that poses a significant and imminent risk to the life or safety of, or substantial reputational or monetary harm to, a natural person, in which case it shall notify and commence consultations with the other Party immediately thereafter. If the consultation has not led to a resolution, the other Party may reciprocally suspend transfers if it has substantial evidence that suspension by the suspending Party was contrary to the terms of this paragraph. The suspending Party shall lift the suspension as soon as the breach justifying the suspension has been remedied; any reciprocal suspension shall be lifted at that time. Any personal data transferred prior to suspension shall continue to be treated in accordance with this Protocol.

Chapter IV - Final provisions

Article 15 - Effects of this Protocol

1. a. Article 39, paragraph 2, of the Convention shall apply to this Protocol.

b. With respect to Parties that are members of the European Union, those Parties may, in their mutual relations, apply European Union law governing the matters dealt with in this Protocol.

c. Paragraph l.b does not affect the full application of this Protocol between Parties that are members of the European Union and other Parties.

2. Article 39, paragraph 3, of the Convention shall apply to this Protocol.

Article 16 - Signature and entry into force

1. This Protocol shall be open for signature by Parties to the Convention, which may express their consent to be bound by either:

a. signature without reservation as to ratification, acceptance or approval; or

b. signature subject to ratification, acceptance or approval, followed by ratification, acceptance or approval.

2. Instruments of ratification, acceptance or approval shall be deposited with the Secretary General of the Council of Europe.

3. This Protocol shall enter into force on the first day of the month following the expiration of a period of three months after the date on which five Parties to the Convention have expressed their consent to be bound by this Protocol, in accordance with the provisions of paragraphs 1 and 2 of this article.

4. In respect of any Party to the Convention which subsequently expresses its consent to be bound by this Protocol, the Protocol shall enter into force on the first day of the month following the expiration of a period of three months after the date on which the Party has expressed its consent to be bound by this Protocol, in accordance with the provisions of paragraphs 1 and 2 of this article.

Article 17 - Federal clause

1. A federal State may reserve the right to assume obligations under this Protocol consistent with its fundamental principles governing the relationship between its central government and constituent States or other similar territorial entities, provided that:

a. the Protocol shall apply to the central government of the federal State;

b. such a reservation shall not affect obligations to provide for the co-operation sought by other Parties in accordance with the provisions of Chapter II; and

c. the provisions of Article 13 shall apply to the federal State's constituent States or other similar territorial entities.

2. Another Party may prevent authorities, providers or entities in its territory from co-operating in response to a request or order submitted directly by the constituent State or other similar territorial entity of a federal State that has made a reservation under paragraph 1, unless that federal State notifies the Secretary General of the Council of Europe that a constituent State or other similar territorial entity applies the obligations of this Protocol applicable to that federal State. The Secretary General of the Council of Europe shall set up and keep updated a register of such notifications.

3. Another Party shall not prevent authorities, providers, or entities in its territory from co-operating with a constituent State or other similar territorial entity on the grounds of a reservation under paragraph 1, if an order or request has been submitted via the central government or a joint investigation team agreement under Article 12 is entered into with the participation of the central government. In such situations, the central government shall provide for the fulfilment of the applicable obligations of the Protocol, provided that, with respect to the protection of personal data provided to constituent States or similar territorial entities, only the terms of Article 14, paragraph 9, or, where applicable, the terms of an agreement or arrangement described in Article 14, paragraph l.b or l.c, shall apply.

4. With regard to the provisions of this Protocol, the application of which comes under the jurisdiction of constituent States or other similar territorial entities that are not obliged by the constitutional system of the federation to take legislative measures, the central government shall inform the competent authorities of such States of the said provisions with its favourable opinion, encouraging them to take appropriate action to give them effect.

Article 18 - Territorial application

1. This Protocol shall apply to the territory or territories specified in a declaration made by a Party under Article 38, paragraphs 1 or 2, of the Convention to the extent that such declaration has not been withdrawn under Article 38, paragraph 3.

2. A Party may, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, declare that this Protocol shall not apply to one or more territories specified in the Party's declaration under Article 38, paragraphs 1 and/or 2 of the Convention.

3. A declaration under paragraph 2 of this article may, in respect of any territory specified in such declaration, be withdrawn by a notification addressed to the Secretary General of the Council of Europe. The withdrawal shall become effective on the first day of the month following the expiration of a period of three months after the date of receipt of such notification by the Secretary General.

Article 19 - Reservations and declarations

1. By a written notification addressed to the Secretary General of the Council of Europe, any Party to the Convention may, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, declare that it avails itself of the reservation(s) provided for in Articles 7, paragraphs 9.a and 9.b, Article 8, paragraph 13, and Article 17 of this Protocol. No other reservations may be made.

2. By a written notification addressed to the Secretary General of the Council of Europe, any Party to the Convention may, at the time of signature of this Protocol or when depositing its instrument of ratification, acceptance or approval, make the declaration(s) identified in Articles 7, paragraphs 2.b and 8; Article 8, paragraph 11; Article 9, paragraphs l.b and 5; Article 10, paragraph 9; Article 12, paragraph 3; and Article 18, paragraph 2, of this Protocol.

3. By a written notification addressed to the Secretary General of the Council of Europe, any Party to the Convention shall make any declaration(s), notifications or communications identified in Article 7, paragraphs 5.a and e; Article 8, paragraphs 4, and 10.a and b; Article 14, paragraphs 7.c and 10.b; and Article 17, paragraph 2, of this Protocol according to the terms specified therein.

Article 20 - Status and withdrawal of reservations

1. A Party that has made a reservation in accordance with Article 19, paragraph 1, shall withdraw such reservation, in whole or in part, as soon as circumstances so permit. Such withdrawal shall take effect on the date of receipt of a notification addressed to the Secretary General of the Council of Europe. If the notification states that the withdrawal of a reservation is to take effect on a date specified therein, and such date is later than the date on which the notification is received by the Secretary General, the withdrawal shall take effect on this later date.

2. The Secretary General of the Council of Europe may periodically enquire of Parties that have made one or more reservations in accordance with Article 19, paragraph 1, as to the prospects for withdrawing such reservation(s).

Article 21 - Amendments

1. Amendments to this Protocol may be proposed by any Party to this Protocol and shall be communicated by the Secretary General of the Council of Europe, to the member States of the Council of Europe and to the Parties and signatories to the Convention as well as to any State which has been invited to accede to the Convention.

2. Any amendment proposed by a Party shall be communicated to the European Committee on Crime Problems (CDPC), which shall submit to the Committee of Ministers its opinion on that proposed amendment.

3. The Committee of Ministers shall consider the proposed amendment and the opinion submitted by the CDPC and, following consultation with the Parties to the Convention, may adopt the amendment.

4. The text of any amendment adopted by the Committee of Ministers in accordance with paragraph 3 shall be forwarded to the Parties to this Protocol for acceptance.

5. Any amendment adopted in accordance with paragraph 3 shall come into force on the thirtieth day after all Parties to this Protocol have informed the Secretary General of their acceptance thereof.

Article 22 - Settlement of disputes

Article 45 of the Convention shall apply to this Protocol.

Article 23 - Consultations of the Parties and assessment of implementation

1. Article 46 of the Convention shall apply to this Protocol.

2. Parties shall periodically assess the effective use and implementation of the provisions of this Protocol. Article 2 of the Cybercrime Convention Committee Rules of Procedure as revised on 16 October 2020 shall apply mutatis mutandis. The Parties shall initially review and may modify by consensus the procedures of that article as they apply to this Protocol five years after the entry into force of this Protocol.

3. The review of Article 14 shall commence once ten Parties to the Convention have expressed their consent to be bound by this Protocol.

Article 24 - Denunciation

1. Any Party may, at any time, denounce this Protocol by means of a notification addressed to the Secretary General of the Council of Europe.

2. Such denunciation shall become effective on the first day of the month following the expiration of a period of three months after the date of receipt of the notification by the Secretary General.

3. Denunciation of the Convention by a Party to this Protocol constitutes denunciation of this Protocol.

4. Information or evidence transferred prior to the effective date of denunciation shall continue to be treated in accordance with this Protocol.

Article 25 - Notification

The Secretary General of the Council of Europe shall notify the member States of the Council of Europe, the Parties and signatories to the Convention, and any State which has been invited to accede to the Convention of:

a. any signature;

b. the deposit of any instrument of ratification, acceptance or approval;

c. any date of entry into force of this Protocol in accordance with Article 16, paragraphs 3 and 4;

d. any declarations or reservations made in accordance with Article 19 or withdrawal of reservations made in accordance with Article 20;

e. any other act, notification or communication relating to this Protocol.

In witness whereof the undersigned, being duly authorised thereto, have signed this Protocol.

Done at [PLACE] on [DATE], in English and in French, both texts being equally authentic, in a single copy which shall be deposited in the archives of the Council of Europe. The Secretary General of the Council of Europe shall transmit certified copies to each member State of the Council of Europe, to the Parties and Signatories to the Convention, and to any State which has been invited to accede to the Convention.

Top